Berwn
5864054b00
Extract the per-firewall rule data out of control's configuration into modules/hetzner-firewall-rules.nix, imported like the DNS domains list. The evaluated rules are unchanged.
36 lines
946 B
Nix
36 lines
946 B
Nix
# Hetzner Cloud firewall rules, keyed by firewall name. Imported by
|
|
# machines/control/configuration.nix and fed to cnx.hetznerFirewall.firewalls.
|
|
#
|
|
# Public SSH (22) is intentionally absent: admin access rides the ZeroTier mesh
|
|
# (inside UDP 9993), with emergency-access as the console fallback.
|
|
let
|
|
world = [ "0.0.0.0/0" "::/0" ];
|
|
|
|
zerotier = {
|
|
direction = "in";
|
|
protocol = "udp";
|
|
port = "9993";
|
|
source_ips = world;
|
|
description = "ZeroTier";
|
|
};
|
|
|
|
ping = {
|
|
direction = "in";
|
|
protocol = "icmp";
|
|
source_ips = world;
|
|
description = "ICMP (ping / PMTUD)";
|
|
};
|
|
|
|
dnsRules = [
|
|
{ direction = "in"; protocol = "udp"; port = "53"; source_ips = world; description = "DNS (UDP)"; }
|
|
{ direction = "in"; protocol = "tcp"; port = "53"; source_ips = world; description = "DNS (TCP)"; }
|
|
zerotier
|
|
ping
|
|
];
|
|
in
|
|
{
|
|
"clan-control" = [ zerotier ping ];
|
|
"clan-ns1" = dnsRules;
|
|
"clan-ns2" = dnsRules;
|
|
}
|