Make trusted_ports list

2024-07-25 10:53:44 +02:00 · 2024-07-25 10:53:44 +02:00 · 35a63d7aaa
commit 35a63d7aaa
parent 631e09ff74
4 changed files with 11 additions and 5 deletions
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@ -21,6 +21,8 @@ trusted_ranges:
  - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
  - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
  - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" }
+trusted_ports:
+  - ssh

 root_access:
  - ak
--- a/group_vars/fotos.yaml
+++ b/group_vars/fotos.yaml
@ -6,6 +6,10 @@ root_access:
  - polyfloyd
  - wilco

+trusted_ports:
+  - ssh
+  - microsoft-ds
+
 group_nft_input:
  - "# Allow traffic from wiki"
  - "ip saddr 204.2.64.19 tcp dport { 4567 } accept"
--- a/group_vars/mqtt.yaml
+++ b/group_vars/mqtt.yaml
@ -3,6 +3,6 @@
 nft_group_rules:
  - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" }

-group_nft_input:
-  - ip saddr @trusted4 tcp dport { 1883 } accept
-  - ip6 saddr @trusted6 tcp dport { 1883 } accept
+trusted_ports:
+  - ssh
+  - 1883
--- a/roles/nft/templates/nftables.conf.j2
+++ b/roles/nft/templates/nftables.conf.j2
@ -73,8 +73,8 @@ set trusted6 {
        } accept

        # Open ssh only for trusted machines
-        ip saddr @trusted4 tcp dport { ssh } accept
-        ip6 saddr @trusted6 tcp dport { ssh } accept
+        ip saddr @trusted4 tcp dport { {{ trusted_ports|join(', ') }} } accept
+        ip6 saddr @trusted6 tcp dport { {{ trusted_ports|join(', ') }} } accept

        # Rules based on group-vars
 {% for custom in nft_group_rules %}