feat: fixing firewall rules and use constant ip for ingress

2025-04-17 21:03:06 +02:00 · 2025-04-17 21:03:06 +02:00 · d074ff3e1f
commit d074ff3e1f
parent 00514d3a5c
8 changed files with 48 additions and 59 deletions
--- a/ingress.tjo.cloud/README.md
+++ b/ingress.tjo.cloud/README.md
@ -15,4 +15,4 @@ just apply-only nevaroo
 # Apply to all nodes
 just configure
 just apply
-```
+```
--- a/ingress.tjo.cloud/terraform/node.tf
+++ b/ingress.tjo.cloud/terraform/node.tf
@ -121,6 +121,10 @@ Repo: https://code.tjo.space/tjo-cloud/infrastructure/ingress.tjo.cloud
    bridge = "vmbr1"
  }

+  network_device {
+    bridge = "vmbr1"
+  }
+
  scsi_hardware = "virtio-scsi-single"
  disk {
    file_id      = proxmox_virtual_environment_download_file.ubuntu[each.key].id
@ -139,12 +143,21 @@ Repo: https://code.tjo.space/tjo-cloud/infrastructure/ingress.tjo.cloud

    ip_config {
      ipv4 {
-        address = each.value.ipv4_address
-        gateway = each.value.ipv4_gateway
+        address = var.network.ipv4_address
+        gateway = var.network.ipv4_gateway
      }
      ipv6 {
-        address = each.value.ipv6_address
-        gateway = each.value.ipv6_gateway
+        address = var.network.ipv6_address
+        gateway = var.network.ipv6_gateway
+      }
+    }
+
+    ip_config {
+      ipv4 {
+        address = "dhcp"
+      }
+      ipv6 {
+        address = "dhcp"
      }
    }
  }
--- a/ingress.tjo.cloud/terraform/terraform.tfvars
+++ b/ingress.tjo.cloud/terraform/terraform.tfvars
@ -1,3 +1,10 @@
+network = {
+  ipv4_address = "10.0.0.10/32"
+  ipv4_gateway = "10.0.0.1"
+  ipv6_address = "fd74:6a6f:0:f000::10/128"
+  ipv6_gateway = "fd74:6a6f:0:f000::1"
+}
+
 nodes = {
  batuu = {
    id           = 800
@ -5,43 +12,25 @@ nodes = {
    iso_storage  = "local"
    boot_storage = "local-nvme"

-    ipv4_address = "10.0.16.10/20"
-    ipv4_gateway = "10.0.16.1"
-    ipv6_address = "fd74:6a6f:0:1010::1/64"
-    ipv6_gateway = "fd74:6a6f:0:1000::1"
+
  }
  jakku = {
    id           = 801
    host         = "jakku"
    iso_storage  = "local"
    boot_storage = "local-nvme"
-
-    ipv4_address = "10.0.32.10/20"
-    ipv4_gateway = "10.0.32.1"
-    ipv6_address = "fd74:6a6f:0:2010::1/64"
-    ipv6_gateway = "fd74:6a6f:0:2000::1"
  }
  nevaroo = {
    id           = 802
    host         = "nevaroo"
    iso_storage  = "local"
    boot_storage = "local"
-
-    ipv4_address = "10.0.48.10/20"
-    ipv4_gateway = "10.0.48.1"
-    ipv6_address = "fd74:6a6f:0:3010::1/64"
-    ipv6_gateway = "fd74:6a6f:0:3000::1"
  }
  mustafar = {
    id           = 803
    host         = "mustafar"
    iso_storage  = "local"
    boot_storage = "local"
-
-    ipv4_address = "10.0.64.10/20"
-    ipv4_gateway = "10.0.64.1"
-    ipv6_address = "fd74:6a6f:0:4010::1/64"
-    ipv6_gateway = "fd74:6a6f:0:4000::1"
  }
 }

--- a/ingress.tjo.cloud/terraform/variables.tf
+++ b/ingress.tjo.cloud/terraform/variables.tf
@ -1,13 +1,17 @@
-variable "nodes" {
-  type = map(object({
-    id   = number
-    host = string
-
+variable "network" {
+  type = object({
    ipv4_address = string
    ipv4_gateway = string

    ipv6_address = string
    ipv6_gateway = string
+  })
+}
+
+variable "nodes" {
+  type = map(object({
+    id   = number
+    host = string

    cores  = optional(number, 1)
    memory = optional(number, 512)
@ -60,4 +64,3 @@ variable "dnsimple_token" {
 variable "dnsimple_account_id" {
  type = string
 }
-
--- a/network.tjo.cloud/README.md
+++ b/network.tjo.cloud/README.md
@ -10,7 +10,7 @@ __WAN interface__ either represents an actual public interface (on Hetzner) or a

 __LAN interface__ is an ordinary lan network.

-__ingress.tjo.cloud__ has port-forwarded all public ports to it (22, 25, 80, 443, 587 etc.). No other VM is accessible from the internet.
+__ingress.tjo.cloud__ has port-forwarded all public ports to it (22, 25, 80, 443, 587 etc.). No other internal service is accessible from the internet.

 __network.tjo.cloud__ establishes ZeroTier connection between other network.tjo.cloud nodes to establish Layer2 SD-WAN.

@ -66,9 +66,10 @@ Next 1021 are provisioned via DHCP. The reset are unused.

 ### Special designations

-| Use            | IPv4             | IPv6                    |
-|----------------|------------------|-------------------------|
-| Router LAN VIP | 10.0.0.1/32      | fd74:6a6f:0:f000::1/128 |
+| Use               | IPv4             | IPv6                     |
+|-------------------|------------------|--------------------------|
+| Router LAN VIP    | 10.0.0.1/32      | fd74:6a6f:0:f000::1/128  |
+| ingress.tjo.cloud | 10.0.0.10/32     | fd74:6a6f:0:f000::10/128 |

 ## k8s.tjo.cloud

--- a/network.tjo.cloud/config.yaml
+++ b/network.tjo.cloud/config.yaml
@ -1,6 +1,8 @@
 firewall:
  - name: "ingress.tjo.cloud"
-    host: "ingress.tjo.cloud"
+    host:
+      ipv4: "10.0.0.10"
+      ipv6: "fd74:6a6f:0:f000::10"
    ports:
      - 22   # SSH
      - 25   # SMTP (explicit TLS => STARTTLS)
@ -24,10 +26,6 @@ nodes:
    ipv6:
      subnet: "fd74:6a6f:0:1000::/52"
      address: "fd74:6a6f:0:1000::1"
-    hosts:
-      ingress.tjo.cloud:
-        ipv4: "10.0.16.10"
-        ipv6: "fd74:6a6f:0:1010::1"
  jakku:
    ipv4:
      subnet: "10.0.32.0/20"
@ -35,10 +33,6 @@ nodes:
    ipv6:
      subnet: "fd74:6a6f:0:2000::/52"
      address: "fd74:6a6f:0:2000::1"
-    hosts:
-      ingress.tjo.cloud:
-        ipv4: "10.0.32.10"
-        ipv6: "fd74:6a6f:0:2010::1"
  nevaroo:
    ipv4:
      subnet: "10.0.48.0/20"
@ -46,10 +40,6 @@ nodes:
    ipv6:
      subnet: "fd74:6a6f:0:3000::/52"
      address: "fd74:6a6f:0:3000::1"
-    hosts:
-      ingress.tjo.cloud:
-        ipv4: "10.0.48.10"
-        ipv6: "fd74:6a6f:0:3010::1"
  mustafar:
    ipv4:
      subnet: "10.0.64.0/20"
@ -57,10 +47,6 @@ nodes:
    ipv6:
      subnet: "fd74:6a6f:0:4000::/52"
      address: "fd74:6a6f:0:4000::1"
-    hosts:
-      ingress.tjo.cloud:
-        ipv4: "10.0.64.10"
-        ipv6: "fd74:6a6f:0:4010::1"
  endor:
    ipv4:
      subnet: "10.0.80.0/20"
@ -68,7 +54,3 @@ nodes:
    ipv6:
      subnet: "fd74:6a6f:0:5000::/52"
      address: "fd74:6a6f:0:5000::1"
-    hosts:
-      ingress.tjo.cloud:
-        ipv4: "10.0.80.10"
-        ipv6: "fd74:6a6f:0:5010::1"
--- a/network.tjo.cloud/root/etc/config/dhcp
+++ b/network.tjo.cloud/root/etc/config/dhcp
@ -25,11 +25,12 @@ config dhcp 'lan'
 	# 1/4 of the subnet space.
  # The rest is reserved for other uses.
 	option limit '1021'
-	option leasetime '24h'
+	option leasetime '56h'
 	option dhcpv4 'server'
 	option dhcpv6 'server'
 	option ra 'server'
 	option ra_default '1'
+	option ra_useleasetime '1'
 	list ra_flags 'managed-config'
 	list ra_flags 'other-config'

--- a/network.tjo.cloud/root/etc/config/firewall
+++ b/network.tjo.cloud/root/etc/config/firewall
@ -126,6 +126,7 @@ config zone
 	option input 'ACCEPT'
 	option output 'ACCEPT'
 	option forward 'ACCEPT'
+	option subnet '10.0.0.0/10'
 	list network 'lan'
 	list network 'lan_vip'
 	list network 'zerotier'
@ -155,12 +156,11 @@ config forwarding
 	option dest 'tailscale'

 ##
-# INGRESS.TJO.CLOUD
+# PORT FORWARDING
 ##
 {{- range (ds "config").firewall }}
 {{ $nodeName := getenv "NODE" }}
-{{ $node := index (ds "config").nodes $nodeName }}
-{{ $host := index $node.hosts .host }}
+{{ $host := .host }}
 {{ $name := .name }}
 {{- range $port := .ports }}