feat(ward): open kanidm port only for sentinel

2023-06-01 01:33:13 +02:00 · 2023-06-01 01:33:13 +02:00 · df2657bb1c
commit df2657bb1c
parent c1fe238c75
5 changed files with 20 additions and 5 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -76,12 +76,26 @@ in {

    networking.nftables.firewall = {
      zones = lib.mkForce {
-        local-vms.interfaces = ["local-vms"];
+        #local-vms.interfaces = ["local-vms"];
+        proxy-sentinel.interfaces = ["proxy-sentinel"];
+        sentinel = {
+          parent = "proxy-sentinel";
+          ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+          ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+        };
      };

+      #rules = lib.mkForce {
+      #  local-vms-to-local = {
+      #    from = ["local-vms"];
+      #    to = ["local"];
+      #    allowedTCPPorts = [8300];
+      #  };
+      #};
+
      rules = lib.mkForce {
-        local-vms-to-local = {
-          from = ["local-vms"];
+        sentinel-to-local = {
+          from = ["sentinel"];
          to = ["local"];
          allowedTCPPorts = [8300];
        };
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -139,6 +139,7 @@ in {
        renew-timer = 1000;
        rebind-timer = 2000;
        interfaces-config = {
+          # TODO why does this bind other macvtaps?
          interfaces = ["lan-self"];
          service-sockets-max-retries = -1;
        };