[RAN] Add firewall

cluster/traefik.tf

@@ -20,8 +20,6 @@ resource "helm_release" "traefik" {
             ports = {
                 traefik = {
                     traefik = {
-                        hostPort = 9000
-                        hostIP = "100.105.14.66"
                         expose = true
                     }
                     web = {

nixos/roles/k8s-cluster/kubernetes.nix

@@ -11,11 +11,7 @@ in {
   ];
 
   networking = {
-    firewall.allowedTCPPorts = [
+    firewall.enable = false;
-      kubeMasterAPIServerPort
-      443
-      80
-    ];
     extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
   };
 

tf/ran-hcloud.tf

@@ -27,6 +27,9 @@ resource "hcloud_server" "ran" {
         ipv6_enabled = true
         ipv6 = hcloud_primary_ip.ran_ipv6.id
     }
+    firewall_ids = [
+        hcloud_firewall.ran.id
+    ]
 
     lifecycle {
         ignore_changes = [
@@ -46,4 +49,53 @@ resource "hcloud_rdns" "ran-v6" {
     server_id  = hcloud_server.ran.id
     ip_address = hcloud_server.ran.ipv6_address
     dns_ptr    = "ran.gensokyo.zone"
+}
+
+resource "hcloud_firewall" "ran" {
+    name = "ran-firewall"
+    rule {
+        direction = "in"
+        protocol  = "icmp"
+        source_ips = [
+        "0.0.0.0/0",
+        "::/0"
+        ]
+    }
+
+    rule {
+        direction = "in"
+        protocol = "tcp"
+        port = "80"
+        source_ips = [
+            "0.0.0.0/0",
+            "::/0"
+        ]
+    }
+    rule {
+        direction = "in"
+        protocol = "tcp"
+        port = "443"
+        source_ips = [
+            "0.0.0.0/0",
+            "::/0"
+        ]
+    }
+    rule {
+        direction = "in"
+        protocol = "udp"
+        port = "60000-61000"
+        source_ips = [
+            "0.0.0.0/0",
+            "::/0"
+        ]
+    }
+    rule {
+        direction = "in"
+        protocol = "tcp"
+        port = "22"
+        source_ips = [
+            "0.0.0.0/0",
+            "::/0"
+        ]
+    }
 }