Compare commits

...

5 commits

Author SHA1 Message Date
smeagol-help
49d6ed1a1e fix(container): update image docker.io/library/haproxy ( 2.9.0 → 2.9.1 )
| datasource | package                   | from  | to    |
| ---------- | ------------------------- | ----- | ----- |
| docker     | docker.io/library/haproxy | 2.9.0 | 2.9.1 |
2024-01-11 16:03:46 +00:00
5248d01bce adding additional haproxy for k3s 2024-01-11 09:15:25 -06:00
dc2060dbe9 Add camera and new vm. 2024-01-11 08:13:33 -06:00
c5e41d2f9f Added camera. 2024-01-08 15:21:49 -06:00
28bc25a300 Update config to match vyos 1.4 rc1 2024-01-04 09:38:19 -06:00
11 changed files with 124 additions and 124 deletions

View file

@ -4,7 +4,7 @@
set container network containers prefix '10.5.0.0/24'
# haproxy-k8s-api
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.0'
set container name haproxy-k8s-api image 'docker.io/library/haproxy:2.9.1'
set container name haproxy-k8s-api memory '0'
set container name haproxy-k8s-api network containers address '10.5.0.2'
set container name haproxy-k8s-api restart 'on-failure'
@ -13,6 +13,16 @@ set container name haproxy-k8s-api volume config source '/config/containers/hapr
set container name haproxy-k8s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
set container name haproxy-k8s-api volume config mode 'ro'
# haproxy-k3s-api
set container name haproxy-k3s-api image 'docker.io/library/haproxy:2.9.1'
set container name haproxy-k3s-api memory '0'
set container name haproxy-k3s-api network containers address '10.5.0.3'
set container name haproxy-k3s-api restart 'on-failure'
set container name haproxy-k3s-api shared-memory '0'
set container name haproxy-k3s-api volume config source '/config/containers/haproxy-k3s/config/haproxy.cfg'
set container name haproxy-k3s-api volume config destination '/usr/local/etc/haproxy/haproxy.cfg'
set container name haproxy-k3s-api volume config mode 'ro'
# node-exporter
set container name node-exporter environment procfs value '/host/proc'
set container name node-exporter environment rootfs value '/host/rootfs'

View file

@ -2,7 +2,7 @@
# From IOT to LAN
set firewall ipv4 name iot-lan default-action 'drop'
set firewall ipv4 name iot-lan description 'From IOT to LAN'
set firewall ipv4 name iot-lan enable-default-log
set firewall ipv4 name iot-lan default-log
set firewall ipv4 name iot-lan rule 999 action 'drop'
set firewall ipv4 name iot-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-lan rule 999 state invalid
@ -11,7 +11,7 @@ set firewall ipv4 name iot-lan rule 999 log
# From IOT to LOCAL
set firewall ipv4 name iot-local default-action 'drop'
set firewall ipv4 name iot-local description 'From IOT to LOCAL'
set firewall ipv4 name iot-local enable-default-log
set firewall ipv4 name iot-local default-log
set firewall ipv4 name iot-local rule 50 action 'accept'
set firewall ipv4 name iot-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name iot-local rule 50 destination port '67,68'
@ -46,37 +46,13 @@ set firewall ipv4 name iot-local rule 999 log
# From IOT to SERVERS
set firewall ipv4 name iot-servers default-action 'drop'
set firewall ipv4 name iot-servers description 'From IOT to SERVERS'
set firewall ipv4 name iot-servers enable-default-log
set firewall ipv4 name iot-servers rule 100 action 'accept'
set firewall ipv4 name iot-servers rule 100 description 'Rule: accept_nas_smb_from_scanners'
set firewall ipv4 name iot-servers rule 100 destination group address-group 'nas'
set firewall ipv4 name iot-servers rule 100 destination port 'microsoft-ds'
set firewall ipv4 name iot-servers rule 100 protocol 'tcp'
set firewall ipv4 name iot-servers rule 100 source group address-group 'scanners'
set firewall ipv4 name iot-servers rule 200 action 'accept'
set firewall ipv4 name iot-servers rule 200 description 'Rule: accept_plex_from_plex_clients'
set firewall ipv4 name iot-servers rule 200 destination group address-group 'k8s_plex'
set firewall ipv4 name iot-servers rule 200 destination port '32400'
set firewall ipv4 name iot-servers rule 200 protocol 'tcp'
set firewall ipv4 name iot-servers rule 200 source group address-group 'plex_clients'
set firewall ipv4 name iot-servers rule 300 action 'accept'
set firewall ipv4 name iot-servers rule 300 description 'Rule: accept_mqtt_from_mqtt_clients'
set firewall ipv4 name iot-servers rule 300 destination group address-group 'k8s_mqtt'
set firewall ipv4 name iot-servers rule 300 destination port '1883'
set firewall ipv4 name iot-servers rule 300 protocol 'tcp'
set firewall ipv4 name iot-servers rule 300 source group address-group 'mqtt_clients'
set firewall ipv4 name iot-servers default-log
set firewall ipv4 name iot-servers rule 400 action 'accept'
set firewall ipv4 name iot-servers rule 400 description 'Rule: accept_k8s_ingress_from_sonos_players'
set firewall ipv4 name iot-servers rule 400 destination group address-group 'k8s_ingress'
set firewall ipv4 name iot-servers rule 400 destination port 'http,https'
set firewall ipv4 name iot-servers rule 400 protocol 'tcp'
set firewall ipv4 name iot-servers rule 400 source group address-group 'sonos_players'
set firewall ipv4 name iot-servers rule 410 action 'accept'
set firewall ipv4 name iot-servers rule 410 description 'Rule: accept_k8s_ingress_from_allowed_devices'
set firewall ipv4 name iot-servers rule 410 destination group address-group 'k8s_ingress'
set firewall ipv4 name iot-servers rule 410 destination port 'http,https'
set firewall ipv4 name iot-servers rule 410 protocol 'tcp'
set firewall ipv4 name iot-servers rule 410 source group address-group 'k8s_ingress_allowed'
set firewall ipv4 name iot-servers rule 999 action 'drop'
set firewall ipv4 name iot-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-servers rule 999 state invalid
@ -97,19 +73,7 @@ set firewall ipv4 name iot-containers rule 999 log
# From IOT to TRUSTED
set firewall ipv4 name iot-trusted default-action 'drop'
set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED'
set firewall ipv4 name iot-trusted enable-default-log
set firewall ipv4 name iot-trusted rule 100 action 'accept'
set firewall ipv4 name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
set firewall ipv4 name iot-trusted rule 100 destination group address-group 'sonos_controllers'
set firewall ipv4 name iot-trusted rule 100 destination port '319,320,30000-65535'
set firewall ipv4 name iot-trusted rule 100 protocol 'udp'
set firewall ipv4 name iot-trusted rule 100 source group address-group 'sonos_players'
set firewall ipv4 name iot-trusted rule 110 action 'accept'
set firewall ipv4 name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
set firewall ipv4 name iot-trusted rule 110 destination group address-group 'sonos_controllers'
set firewall ipv4 name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
set firewall ipv4 name iot-trusted rule 110 protocol 'tcp'
set firewall ipv4 name iot-trusted rule 110 source group address-group 'sonos_players'
set firewall ipv4 name iot-trusted default-log
set firewall ipv4 name iot-trusted rule 999 action 'drop'
set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name iot-trusted rule 999 state invalid
@ -118,7 +82,7 @@ set firewall ipv4 name iot-trusted rule 999 log
# From IOT to VIDEO
set firewall ipv4 name iot-video default-action 'drop'
set firewall ipv4 name iot-video description 'From IOT to VIDEO'
set firewall ipv4 name iot-video enable-default-log
set firewall ipv4 name iot-video default-log
set firewall ipv4 name iot-video rule 100 action 'accept'
set firewall ipv4 name iot-video rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name iot-video rule 100 protocol 'tcp'
@ -135,7 +99,7 @@ set firewall ipv4 name iot-wan description 'From IOT to WAN'
# From LAN to IoT
set firewall ipv4 name lan-iot default-action 'drop'
set firewall ipv4 name lan-iot description 'From LAN to IOT'
set firewall ipv4 name lan-iot enable-default-log
set firewall ipv4 name lan-iot default-log
set firewall ipv4 name lan-iot rule 999 action 'drop'
set firewall ipv4 name lan-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-iot rule 999 state invalid
@ -144,7 +108,7 @@ set firewall ipv4 name lan-iot rule 999 log
# From LAN to LOCAL
set firewall ipv4 name lan-local default-action 'drop'
set firewall ipv4 name lan-local description 'From LAN to LOCAL'
set firewall ipv4 name lan-local enable-default-log
set firewall ipv4 name lan-local default-log
set firewall ipv4 name lan-local rule 40 action 'accept'
set firewall ipv4 name lan-local rule 40 description 'Rule: accept_dns'
set firewall ipv4 name lan-local rule 40 destination port 'domain,domain-s'
@ -174,7 +138,7 @@ set firewall ipv4 name lan-local rule 999 log
# From LAN to SERVERS
set firewall ipv4 name lan-servers default-action 'drop'
set firewall ipv4 name lan-servers description 'From LAN to SERVERS'
set firewall ipv4 name lan-servers enable-default-log
set firewall ipv4 name lan-servers default-log
set firewall ipv4 name lan-servers rule 999 action 'drop'
set firewall ipv4 name lan-servers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-servers rule 999 state invalid
@ -195,7 +159,7 @@ set firewall ipv4 name lan-containers rule 999 log
# From LAN to TRUSTED
set firewall ipv4 name lan-trusted default-action 'drop'
set firewall ipv4 name lan-trusted description 'From LAN to TRUSTED'
set firewall ipv4 name lan-trusted enable-default-log
set firewall ipv4 name lan-trusted default-log
set firewall ipv4 name lan-trusted rule 999 action 'drop'
set firewall ipv4 name lan-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-trusted rule 999 state invalid
@ -204,7 +168,7 @@ set firewall ipv4 name lan-trusted rule 999 log
# From LAN to VIDEO
set firewall ipv4 name lan-video default-action 'drop'
set firewall ipv4 name lan-video description 'From LAN to VIDEO'
set firewall ipv4 name lan-video enable-default-log
set firewall ipv4 name lan-video default-log
set firewall ipv4 name lan-video rule 999 action 'drop'
set firewall ipv4 name lan-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name lan-video rule 999 state invalid
@ -217,7 +181,7 @@ set firewall ipv4 name lan-wan description 'From LAN to WAN'
# From LOCAL to IOT
set firewall ipv4 name local-iot default-action 'drop'
set firewall ipv4 name local-iot description 'From LOCAL to IOT'
set firewall ipv4 name local-iot enable-default-log
set firewall ipv4 name local-iot default-log
set firewall ipv4 name local-iot rule 100 action 'accept'
set firewall ipv4 name local-iot rule 100 description 'Rule: accept_igmp'
set firewall ipv4 name local-iot rule 100 protocol '2'
@ -226,11 +190,6 @@ set firewall ipv4 name local-iot rule 110 description 'Rule: accept_mdns'
set firewall ipv4 name local-iot rule 110 destination port 'mdns'
set firewall ipv4 name local-iot rule 110 protocol 'udp'
set firewall ipv4 name local-iot rule 110 source port 'mdns'
set firewall ipv4 name local-iot rule 200 action 'accept'
set firewall ipv4 name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall ipv4 name local-iot rule 200 destination group port-group sonos-discovery
set firewall ipv4 name local-iot rule 200 protocol 'udp'
set firewall ipv4 name local-iot rule 200 source group address-group 'sonos_controllers'
set firewall ipv4 name local-iot rule 999 action 'drop'
set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-iot rule 999 state invalid
@ -239,7 +198,7 @@ set firewall ipv4 name local-iot rule 999 log
# From LOCAL to LAN
set firewall ipv4 name local-lan default-action 'drop'
set firewall ipv4 name local-lan description 'From LOCAL to LAN'
set firewall ipv4 name local-lan enable-default-log
set firewall ipv4 name local-lan default-log
set firewall ipv4 name local-lan rule 999 action 'drop'
set firewall ipv4 name local-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-lan rule 999 state invalid
@ -248,7 +207,7 @@ set firewall ipv4 name local-lan rule 999 log
# From LOCAL to SERVERS
set firewall ipv4 name local-servers default-action 'drop'
set firewall ipv4 name local-servers description 'From LOCAL to SERVERS'
set firewall ipv4 name local-servers enable-default-log
set firewall ipv4 name local-servers default-log
set firewall ipv4 name local-servers rule 40 action 'accept'
set firewall ipv4 name local-servers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name local-servers rule 40 destination port 'domain,domain-s'
@ -286,7 +245,7 @@ set firewall ipv4 name local-containers rule 999 log
# From LOCAL to TRUSTED
set firewall ipv4 name local-trusted default-action 'drop'
set firewall ipv4 name local-trusted description 'From LOCAL to TRUSTED'
set firewall ipv4 name local-trusted enable-default-log
set firewall ipv4 name local-trusted default-log
set firewall ipv4 name local-trusted rule 100 action 'accept'
set firewall ipv4 name local-trusted rule 100 description 'Rule: accept_igmp'
set firewall ipv4 name local-trusted rule 100 protocol '2'
@ -312,7 +271,7 @@ set firewall ipv4 name local-trusted rule 999 log
# From LOCAL to VIDEO
set firewall ipv4 name local-video default-action 'drop'
set firewall ipv4 name local-video description 'From LOCAL to VIDEO'
set firewall ipv4 name local-video enable-default-log
set firewall ipv4 name local-video default-log
set firewall ipv4 name local-video rule 999 action 'drop'
set firewall ipv4 name local-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name local-video rule 999 state invalid
@ -326,7 +285,7 @@ set firewall ipv4 name local-wan description 'From LOCAL to WAN'
# From SERVERS to IOT
set firewall ipv4 name servers-iot default-action 'drop'
set firewall ipv4 name servers-iot description 'From SERVERS to IOT'
set firewall ipv4 name servers-iot enable-default-log
set firewall ipv4 name servers-iot default-log
set firewall ipv4 name servers-iot rule 100 action 'accept'
set firewall ipv4 name servers-iot rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name servers-iot rule 100 protocol 'tcp'
@ -343,7 +302,7 @@ set firewall ipv4 name servers-iot rule 999 log
# From SERVERS to LAN
set firewall ipv4 name servers-lan default-action 'drop'
set firewall ipv4 name servers-lan description 'From SERVERS to LAN'
set firewall ipv4 name servers-lan enable-default-log
set firewall ipv4 name servers-lan default-log
set firewall ipv4 name servers-lan rule 999 action 'drop'
set firewall ipv4 name servers-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-lan rule 999 state invalid
@ -352,7 +311,7 @@ set firewall ipv4 name servers-lan rule 999 log
# From SERVERS to LOCAL
set firewall ipv4 name servers-local default-action 'drop'
set firewall ipv4 name servers-local description 'From SERVERS to LOCAL'
set firewall ipv4 name servers-local enable-default-log
set firewall ipv4 name servers-local default-log
set firewall ipv4 name servers-local rule 50 action 'accept'
set firewall ipv4 name servers-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name servers-local rule 50 destination port '67,68'
@ -392,7 +351,7 @@ set firewall ipv4 name servers-local rule 999 log
# From SERVERS to CONTAINERS
set firewall ipv4 name servers-containers default-action 'accept'
set firewall ipv4 name servers-containers description 'From SERVERS to CONTAINERS'
set firewall ipv4 name servers-containers enable-default-log
set firewall ipv4 name servers-containers default-log
set firewall ipv4 name servers-containers rule 40 action 'accept'
set firewall ipv4 name servers-containers rule 40 description 'Rule: accept_dns'
set firewall ipv4 name servers-containers rule 40 destination port 'domain,domain-s'
@ -409,7 +368,7 @@ set firewall ipv4 name servers-containers rule 999 log
# From SERVERS to TRUSTED
set firewall ipv4 name servers-trusted default-action 'drop'
set firewall ipv4 name servers-trusted description 'From SERVERS to TRUSTED'
set firewall ipv4 name servers-trusted enable-default-log
set firewall ipv4 name servers-trusted default-log
set firewall ipv4 name servers-trusted rule 999 action 'drop'
set firewall ipv4 name servers-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name servers-trusted rule 999 state invalid
@ -418,7 +377,7 @@ set firewall ipv4 name servers-trusted rule 999 log
# From SERVERS to VIDEO
set firewall ipv4 name servers-video default-action 'drop'
set firewall ipv4 name servers-video description 'From SERVERS to VIDEO'
set firewall ipv4 name servers-video enable-default-log
set firewall ipv4 name servers-video default-log
set firewall ipv4 name servers-video rule 100 action 'accept'
set firewall ipv4 name servers-video rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name servers-video rule 100 protocol 'tcp_udp'
@ -435,7 +394,7 @@ set firewall ipv4 name servers-wan description 'From SERVERS to WAN'
# From CONTAINERS to IOT
set firewall ipv4 name containers-iot default-action 'drop'
set firewall ipv4 name containers-iot description 'From CONTAINERS to IOT'
set firewall ipv4 name containers-iot enable-default-log
set firewall ipv4 name containers-iot default-log
set firewall ipv4 name containers-iot rule 999 action 'drop'
set firewall ipv4 name containers-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-iot rule 999 state invalid
@ -444,7 +403,7 @@ set firewall ipv4 name containers-iot rule 999 log
# From CONTAINERS to LAN
set firewall ipv4 name containers-lan default-action 'drop'
set firewall ipv4 name containers-lan description 'From CONTAINERS to LAN'
set firewall ipv4 name containers-lan enable-default-log
set firewall ipv4 name containers-lan default-log
set firewall ipv4 name containers-lan rule 999 action 'drop'
set firewall ipv4 name containers-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-lan rule 999 state invalid
@ -453,7 +412,7 @@ set firewall ipv4 name containers-lan rule 999 log
# From CONTAINERS to LOCAL
set firewall ipv4 name containers-local default-action 'drop'
set firewall ipv4 name containers-local description 'From CONTAINERS to LOCAL'
set firewall ipv4 name containers-local enable-default-log
set firewall ipv4 name containers-local default-log
set firewall ipv4 name containers-local rule 50 action 'accept'
set firewall ipv4 name containers-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name containers-local rule 50 destination port '67,68'
@ -479,7 +438,7 @@ set firewall ipv4 name containers-servers rule 999 log
# From CONTAINERS to TRUSTED
set firewall ipv4 name containers-trusted default-action 'drop'
set firewall ipv4 name containers-trusted description 'From CONTAINERS to TRUSTED'
set firewall ipv4 name containers-trusted enable-default-log
set firewall ipv4 name containers-trusted default-log
set firewall ipv4 name containers-trusted rule 999 action 'drop'
set firewall ipv4 name containers-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-trusted rule 999 state invalid
@ -488,7 +447,7 @@ set firewall ipv4 name containers-trusted rule 999 log
# From CONTAINERS to VIDEO
set firewall ipv4 name containers-video default-action 'drop'
set firewall ipv4 name containers-video description 'From CONTAINERS to VIDEO'
set firewall ipv4 name containers-video enable-default-log
set firewall ipv4 name containers-video default-log
set firewall ipv4 name containers-video rule 999 action 'drop'
set firewall ipv4 name containers-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name containers-video rule 999 state invalid
@ -501,16 +460,6 @@ set firewall ipv4 name containers-wan description 'From CONTAINERS to WAN'
# From TRUSTED to IOT
set firewall ipv4 name trusted-iot default-action 'accept'
set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT'
set firewall ipv4 name trusted-iot rule 110 action 'accept'
set firewall ipv4 name trusted-iot rule 110 description 'Rule: accept_tcp_from_sonos_controllers_to_sonos_players'
set firewall ipv4 name trusted-iot rule 110 destination port '1400,1443,4444,7000,30000-65535'
set firewall ipv4 name trusted-iot rule 110 protocol 'tcp'
set firewall ipv4 name trusted-iot rule 110 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-iot rule 111 action 'accept'
set firewall ipv4 name trusted-iot rule 111 description 'Rule: accept_udp_from_sonos_controllers_to_sonos_players'
set firewall ipv4 name trusted-iot rule 111 destination port '319,320,30000-65535'
set firewall ipv4 name trusted-iot rule 111 protocol 'udp'
set firewall ipv4 name trusted-iot rule 111 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-iot rule 999 action 'drop'
set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name trusted-iot rule 999 state invalid
@ -527,7 +476,7 @@ set firewall ipv4 name trusted-lan rule 999 log
# From TRUSTED to LOCAL
set firewall ipv4 name trusted-local default-action 'drop'
set firewall ipv4 name trusted-local description 'From TRUSTED to LOCAL'
set firewall ipv4 name trusted-local enable-default-log
set firewall ipv4 name trusted-local default-log
set firewall ipv4 name trusted-local rule 50 action 'accept'
set firewall ipv4 name trusted-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name trusted-local rule 50 destination port '67,68'
@ -549,11 +498,6 @@ set firewall ipv4 name trusted-local rule 120 action 'accept'
set firewall ipv4 name trusted-local rule 120 description 'Rule: accept_dns'
set firewall ipv4 name trusted-local rule 120 destination port 'domain,domain-s'
set firewall ipv4 name trusted-local rule 120 protocol 'tcp_udp'
set firewall ipv4 name trusted-local rule 210 action 'accept'
set firewall ipv4 name trusted-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
set firewall ipv4 name trusted-local rule 210 destination group port-group sonos-discovery
set firewall ipv4 name trusted-local rule 210 protocol 'udp'
set firewall ipv4 name trusted-local rule 210 source group address-group 'sonos_controllers'
set firewall ipv4 name trusted-local rule 211 action 'accept'
set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players'
set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-discovery
@ -612,12 +556,7 @@ set firewall ipv4 name trusted-wan description 'From TRUSTED to WAN'
# From VIDEO to IOT
set firewall ipv4 name video-iot default-action 'drop'
set firewall ipv4 name video-iot description 'From VIDEO to IOT'
set firewall ipv4 name video-iot enable-default-log
set firewall ipv4 name video-iot rule 100 action 'accept'
set firewall ipv4 name video-iot rule 100 description 'Rule: allow connecting to hass'
set firewall ipv4 name video-iot rule 100 protocol 'tcp'
set firewall ipv4 name video-iot rule 100 destination group address-group 'k8s_hass'
set firewall ipv4 name video-iot rule 100 destination port '8123'
set firewall ipv4 name video-iot default-log
set firewall ipv4 name video-iot rule 999 action 'drop'
set firewall ipv4 name video-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-iot rule 999 state invalid
@ -626,7 +565,7 @@ set firewall ipv4 name video-iot rule 999 log
# From VIDEO to LAN
set firewall ipv4 name video-lan default-action 'drop'
set firewall ipv4 name video-lan description 'From VIDEO to LAN'
set firewall ipv4 name video-lan enable-default-log
set firewall ipv4 name video-lan default-log
set firewall ipv4 name video-lan rule 999 action 'drop'
set firewall ipv4 name video-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-lan rule 999 state invalid
@ -635,7 +574,7 @@ set firewall ipv4 name video-lan rule 999 log
# From VIDEO to LOCAL
set firewall ipv4 name video-local default-action 'drop'
set firewall ipv4 name video-local description 'From VIDEO to LOCAL'
set firewall ipv4 name video-local enable-default-log
set firewall ipv4 name video-local default-log
set firewall ipv4 name video-local rule 50 action 'accept'
set firewall ipv4 name video-local rule 50 description 'Rule: accept_dhcp'
set firewall ipv4 name video-local rule 50 destination port '67,68'
@ -653,7 +592,7 @@ set firewall ipv4 name video-local rule 999 log
# From VIDEO to SERVERS
set firewall ipv4 name video-servers default-action 'drop'
set firewall ipv4 name video-servers description 'From VIDEO to SERVERS'
set firewall ipv4 name video-servers enable-default-log
set firewall ipv4 name video-servers default-log
set firewall ipv4 name video-servers rule 100 action 'accept'
set firewall ipv4 name video-servers rule 100 description 'Rule: accept_k8s_nodes'
set firewall ipv4 name video-servers rule 100 protocol 'udp'
@ -679,7 +618,7 @@ set firewall ipv4 name video-containers rule 999 log
# From VIDEO to TRUSTED
set firewall ipv4 name video-trusted default-action 'drop'
set firewall ipv4 name video-trusted description 'From VIDEO to TRUSTED'
set firewall ipv4 name video-trusted enable-default-log
set firewall ipv4 name video-trusted default-log
set firewall ipv4 name video-trusted rule 999 action 'drop'
set firewall ipv4 name video-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name video-trusted rule 999 state invalid
@ -691,7 +630,7 @@ set firewall ipv4 name video-wan description 'From VIDEO to WAN'
# From WAN to IOT
set firewall ipv4 name wan-iot default-action 'drop'
set firewall ipv4 name wan-iot description 'From WAN to IOT'
set firewall ipv4 name wan-iot enable-default-log
set firewall ipv4 name wan-iot default-log
set firewall ipv4 name wan-iot rule 999 action 'drop'
set firewall ipv4 name wan-iot rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-iot rule 999 state invalid
@ -700,7 +639,7 @@ set firewall ipv4 name wan-iot rule 999 log
# From WAN to LAN
set firewall ipv4 name wan-lan default-action 'drop'
set firewall ipv4 name wan-lan description 'From WAN to LAN'
set firewall ipv4 name wan-lan enable-default-log
set firewall ipv4 name wan-lan default-log
set firewall ipv4 name wan-lan rule 999 action 'drop'
set firewall ipv4 name wan-lan rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-lan rule 999 state invalid
@ -709,7 +648,7 @@ set firewall ipv4 name wan-lan rule 999 log
# From WAN to LOCAL
set firewall ipv4 name wan-local default-action 'drop'
set firewall ipv4 name wan-local description 'From WAN to LOCAL'
set firewall ipv4 name wan-local enable-default-log
set firewall ipv4 name wan-local default-log
set firewall ipv4 name wan-local rule 1 action 'drop'
set firewall ipv4 name wan-local rule 1 description 'Rule: drop_invalid'
set firewall ipv4 name wan-local rule 1 state invalid
@ -722,7 +661,7 @@ set firewall ipv4 name wan-local rule 100 protocol 'udp'
# From WAN to SERVERS
set firewall ipv4 name wan-servers default-action 'drop'
set firewall ipv4 name wan-servers description 'From WAN to SERVERS'
set firewall ipv4 name wan-servers enable-default-log
set firewall ipv4 name wan-servers default-log
set firewall ipv4 name wan-servers rule 100 action 'accept'
set firewall ipv4 name wan-servers rule 100 destination port 32400
set firewall ipv4 name wan-servers rule 100 protocol 'tcp'
@ -735,7 +674,7 @@ set firewall ipv4 name wan-servers rule 999 log
# From WAN to CONTAINERS
set firewall ipv4 name wan-containers default-action 'drop'
set firewall ipv4 name wan-containers description 'From WAN to CONTAINERS'
set firewall ipv4 name wan-containers enable-default-log
set firewall ipv4 name wan-containers default-log
set firewall ipv4 name wan-containers rule 999 action 'drop'
set firewall ipv4 name wan-containers rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-containers rule 999 state invalid
@ -744,7 +683,7 @@ set firewall ipv4 name wan-containers rule 999 log
# From WAN to TRUSTED
set firewall ipv4 name wan-trusted default-action 'drop'
set firewall ipv4 name wan-trusted description 'From WAN to TRUSTED'
set firewall ipv4 name wan-trusted enable-default-log
set firewall ipv4 name wan-trusted default-log
set firewall ipv4 name wan-trusted rule 999 action 'drop'
set firewall ipv4 name wan-trusted rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-trusted rule 999 state invalid
@ -753,7 +692,7 @@ set firewall ipv4 name wan-trusted rule 999 log
# From WAN to VIDEO
set firewall ipv4 name wan-video default-action 'drop'
set firewall ipv4 name wan-video description 'From WAN to VIDEO'
set firewall ipv4 name wan-video enable-default-log
set firewall ipv4 name wan-video default-log
set firewall ipv4 name wan-video rule 999 action 'drop'
set firewall ipv4 name wan-video rule 999 description 'Rule: drop_invalid'
set firewall ipv4 name wan-video rule 999 state invalid

View file

@ -67,7 +67,6 @@ set firewall zone trusted from containers firewall name 'containers-trusted'
set firewall zone trusted from video firewall name 'video-trusted'
set firewall zone trusted from wan firewall name 'wan-trusted'
set firewall zone trusted interface 'eth4.20'
set firewall zone trusted interface 'wg01'
# video
set firewall zone video default-action 'drop'
@ -89,4 +88,4 @@ set firewall zone wan from servers firewall name 'servers-wan'
set firewall zone wan from containers firewall name 'containers-wan'
set firewall zone wan from trusted firewall name 'trusted-wan'
set firewall zone wan from video firewall name 'video-wan'
set firewall zone wan interface 'eth0'
set firewall zone wan interface 'eth5'

View file

@ -8,13 +8,13 @@ set firewall global-options all-ping 'enable'
# Address Groups
set firewall group address-group router-addresses address 10.0.0.1
set firewall group address-group router-addresses address 127.0.0.1
set firewall group address-group k8s_nodes address '10.1.1.61-63' # master nodes
set firewall group address-group k8s_nodes address '10.1.1.41-46' # worker nodes
set firewall group address-group k8s_nodes address '10.1.1.61-10.1.1.63' # master nodes
set firewall group address-group k8s_nodes address '10.1.1.41-10.1.1.46' # worker nodes
set firewall group address-group k8s_api address '10.5.0.2'
set firewall group address-group k8s_ingress address '10.45.0.1' # external nginx
set firewall group address-group k8s_ingress address '10.45.0.3' # internal nginx
set firewall group address-group k8s_vector_aggregator address '10.45.0.2'
set firewall group address-group nas address '10.1.1.11-12'
set firewall group address-group nas address '10.1.1.11-10.1.1.12'
set firewall group address-group unifi_devices address '10.1.0.11'
set firewall group address-group unifi_devices address '10.1.0.12'
set firewall group address-group unifi_devices address '10.1.0.13'
@ -24,6 +24,7 @@ set firewall group address-group unifi_devices address '10.1.0.23'
set firewall group address-group unifi_devices address '10.1.0.24'
set firewall group address-group vyos_unifi address '10.5.0.10'
set firewall group network-group k8s_services network '10.45.0.0/16'
set firewall group address-group sonos_players address '10.1.2.31'
# Port groups
set firewall group port-group wireguard port '51820'

View file

@ -16,16 +16,3 @@ set interfaces ethernet eth4 vif 30 description 'IOT'
set interfaces ethernet eth4 vif 40 address '10.1.4.1/24'
set interfaces ethernet eth4 vif 40 description 'VIDEO'
set interfaces wireguard wg01 address '10.0.11.1/24'
set interfaces wireguard wg01 description 'WIREGUARD'
set interfaces wireguard wg01 peer ipad-jahanson allowed-ips '10.0.11.4/32'
set interfaces wireguard wg01 peer ipad-jahanson persistent-keepalive '15'
set interfaces wireguard wg01 peer ipad-jahanson public-key 'jv1XSCkzxGY0kBfLbF79gwLVOCmyCTUmSFd36QcwiWE='
set interfaces wireguard wg01 peer iphone-jahanson allowed-ips '10.0.11.2/32'
set interfaces wireguard wg01 peer iphone-jahanson persistent-keepalive '15'
set interfaces wireguard wg01 peer iphone-jahanson public-key 'HHBmTzVQH1qt14rVqzxCUATkLRPGu5WisHyY9O4yTkM='
set interfaces wireguard wg01 peer legion-jahanson allowed-ips '10.0.11.3/32'
set interfaces wireguard wg01 peer legion-jahanson persistent-keepalive '15'
set interfaces wireguard wg01 peer legion-jahanson public-key 'OA8fW79KEJej2lbZZY/Bf7EHcRjeiDowqIBwXGRLZ3A='
set interfaces wireguard wg01 port '51820'
set interfaces wireguard wg01 private-key "${SECRET_WIREGUARD_PRIVATE_KEY}"

View file

@ -3,7 +3,7 @@
# Forward Plex to Sting
set nat destination rule 110 description 'PLEX'
set nat destination rule 110 destination port '32400'
set nat destination rule 110 inbound-interface 'eth5'
set nat destination rule 110 inbound-interface name 'eth5'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '10.1.1.12'
set nat destination rule 110 translation port '32400'

View file

@ -65,6 +65,9 @@ set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-ma
# VMs
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas ip-address '10.1.1.53'
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping tulkas mac-address '26:82:2F:16:7A:36'
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping qbee ip-address '10.1.1.55'
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping qbee mac-address '00:a0:98:00:a6:72'
# k8s prod masters
set service dhcp-server shared-network-name SERVERS subnet 10.1.1.0/24 static-mapping galadriel ip-address '10.1.1.61'
@ -136,3 +139,5 @@ set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 range 0 sto
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera ip-address '10.1.4.12'
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping driveway-camera mac-address 'ec:71:db:62:aa:e9'
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping sidehouse-camera ip-address '10.1.4.13'
set service dhcp-server shared-network-name VIDEO subnet 10.1.4.0/24 static-mapping sidehouse-camera mac-address 'ec:71:db:5e:46:a7'

View file

@ -7,5 +7,6 @@
!/bind/
!/dnsdist/
!/haproxy/
!/haproxy-k3s/
!/unifi/
!/vector-agent/

9
containers/haproxy-k3s/.gitignore vendored Normal file
View file

@ -0,0 +1,9 @@
# Ignore everything
/*
# Track certain files and directories
!.gitignore
!/config/
/config/*
!/config/haproxy.cfg

View file

@ -0,0 +1,48 @@
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log /dev/log local0
log /dev/log local1 notice
daemon
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
#---------------------------------------------------------------------
# apiserver frontend which proxys to the control plane nodes
#---------------------------------------------------------------------
frontend k8s_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_controlplane
#---------------------------------------------------------------------
# round robin balancing for apiserver
#---------------------------------------------------------------------
backend k8s_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server worker2 10.1.1.55:6443 check

View file

@ -17,9 +17,10 @@ END
tee -a /home/vyos/.bash_aliases <<END >/dev/null
export SOPS_AGE_KEY_FILE=/config/secrets/age.key
export GIT_SSH_COMMAND="ssh -i /config/secrets/id_ed25519"
export VISUAL=vi
export EDITOR=vi
export VISUAL=vim
export EDITOR=vim
alias podman="sudo podman"
END
# Force X550 NIC to 2.5Gbps autonegotiation. Fixes a Intel driver issue.
ethtool -s eth0 speed 2500 duplex full autoneg on
#ethtool -s eth0 speed 2500 duplex full autoneg on
systemctl start nextdns