B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
48bf7fb25011781603c3f56c89e5acdc23f6f7ee
cnx-network-clan/modules/hetzner-firewall-rules.nix
T
Berwn 48bf7fb250 Add web01 public reverse proxy with DNS-01 wildcard TLS 
web01 terminates TLS for grafana.cnx.network and proxies to Grafana on
control over the mesh. Caddy serves a *.cnx.network wildcard cert obtained
via ACME DNS-01, using a dedicated acme_web01 TSIG key scoped on ns1 to
_acme-challenge on the cnx.network zone only. Ports 80/443 are the only
public exposure (80 just redirects); admin and the backend ride ZeroTier.

Also reload Caddy on cert renewal for both web01 and mx1, since both
reference the cert via explicit tls file paths and would otherwise keep
serving a stale cert after a silent renewal.
2026-06-21 03:05:54 +07:00

102 lines
2.4 KiB
Nix
Raw Blame History

# Hetzner Cloud firewall rules, keyed by firewall name. Imported by
# machines/control/configuration.nix and fed to cnx.hetznerFirewall.firewalls.
#
# Public SSH (22) is intentionally absent: admin access rides the ZeroTier mesh
# (inside UDP 9993), with emergency-access as the console fallback.
let
world = [
"0.0.0.0/0"
"::/0"
];
zerotier = {
direction = "in";
protocol = "udp";
port = "9993";
source_ips = world;
description = "ZeroTier";
};
ping = {
direction = "in";
protocol = "icmp";
source_ips = world;
description = "ICMP (ping / PMTUD)";
};
# Public mail ports for mx1 (MX for cnx.email). 25 is server-to-server
# delivery; 587/465 are client submission; 143/993 are IMAP. 443 serves only the
# MTA-STS policy (https://mta-sts.cnx.email/.well-known/mta-sts.txt); the cert
# itself uses ACME DNS-01 so port 80 stays closed. Admin still rides the mesh.
mailPort = port: description: {
direction = "in";
protocol = "tcp";
inherit port;
source_ips = world;
inherit description;
};
mailRules = [
(mailPort "25" "SMTP (inbound mail)")
(mailPort "587" "Submission (STARTTLS)")
(mailPort "465" "Submission (implicit TLS)")
(mailPort "143" "IMAP (STARTTLS)")
(mailPort "993" "IMAP (implicit TLS)")
(mailPort "443" "MTA-STS policy (HTTPS)")
];
# web01 is a public reverse proxy with TLS termination. 443 serves the proxy;
# 80 only carries Caddy's HTTP->HTTPS redirect (the cert uses ACME DNS-01, not
# HTTP-01). Admin rides the mesh.
webRules = [
{
direction = "in";
protocol = "tcp";
port = "80";
source_ips = world;
description = "HTTP (redirect to HTTPS)";
}
{
direction = "in";
protocol = "tcp";
port = "443";
source_ips = world;
description = "HTTPS (reverse proxy / TLS termination)";
}
];
dnsRules = [
{
direction = "in";
protocol = "udp";
port = "53";
source_ips = world;
description = "DNS (UDP)";
}
{
direction = "in";
protocol = "tcp";
port = "53";
source_ips = world;
description = "DNS (TCP)";
}
zerotier
ping
];
in
{
"clan-control" = [
zerotier
ping
];
"clan-ns1" = dnsRules;
"clan-ns2" = dnsRules;
"clan-mx1" = mailRules ++ [
zerotier
ping
];
"clan-web01" = webRules ++ [
zerotier
ping
];
}
Reference in New Issue View Git Blame Copy Permalink