diff --git a/cluster/traefik.tf b/cluster/traefik.tf index 22c4a342..c2756e3a 100644 --- a/cluster/traefik.tf +++ b/cluster/traefik.tf @@ -20,8 +20,6 @@ resource "helm_release" "traefik" { ports = { traefik = { traefik = { - hostPort = 9000 - hostIP = "100.105.14.66" expose = true } web = { diff --git a/nixos/roles/k8s-cluster/kubernetes.nix b/nixos/roles/k8s-cluster/kubernetes.nix index 20471d38..4fd919e1 100644 --- a/nixos/roles/k8s-cluster/kubernetes.nix +++ b/nixos/roles/k8s-cluster/kubernetes.nix @@ -11,11 +11,7 @@ in { ]; networking = { - firewall.allowedTCPPorts = [ - kubeMasterAPIServerPort - 443 - 80 - ]; + firewall.enable = false; extraHosts = "${kubeMasterIP} ${kubeMasterHostname}"; }; diff --git a/tf/ran-hcloud.tf b/tf/ran-hcloud.tf index c7f78df7..eb1179dd 100644 --- a/tf/ran-hcloud.tf +++ b/tf/ran-hcloud.tf @@ -27,6 +27,9 @@ resource "hcloud_server" "ran" { ipv6_enabled = true ipv6 = hcloud_primary_ip.ran_ipv6.id } + firewall_ids = [ + hcloud_firewall.ran.id + ] lifecycle { ignore_changes = [ @@ -46,4 +49,53 @@ resource "hcloud_rdns" "ran-v6" { server_id = hcloud_server.ran.id ip_address = hcloud_server.ran.ipv6_address dns_ptr = "ran.gensokyo.zone" +} + +resource "hcloud_firewall" "ran" { + name = "ran-firewall" + rule { + direction = "in" + protocol = "icmp" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + + rule { + direction = "in" + protocol = "tcp" + port = "80" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + rule { + direction = "in" + protocol = "tcp" + port = "443" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + rule { + direction = "in" + protocol = "udp" + port = "60000-61000" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } + rule { + direction = "in" + protocol = "tcp" + port = "22" + source_ips = [ + "0.0.0.0/0", + "::/0" + ] + } } \ No newline at end of file