From 631e09ff747cb072e9fbb7361f1ddf525a16ab6d Mon Sep 17 00:00:00 2001
From: Mark Janssen <mark@sig-io.nl>
Date: Thu, 25 Jul 2024 10:42:25 +0200
Subject: [PATCH] Fix mqtt + fotos firewall rules

---
 group_vars/all.yaml   | 1 +
 group_vars/fotos.yaml | 5 +++++
 group_vars/mqtt.yaml  | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index 928e710..18728b5 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -14,6 +14,7 @@ trusted_ranges:
   - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" }
   - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ??
   - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" }
+  - { v: ipv4, cidr: "185.205.53.40/32", comment: "ak / koopen.net" }
 #  - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" }
 #  - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" }
 #  - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset
diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml
index 9ab05d7..ce3dc05 100644
--- a/group_vars/fotos.yaml
+++ b/group_vars/fotos.yaml
@@ -5,3 +5,8 @@ root_access:
   - linor
   - polyfloyd
   - wilco
+
+group_nft_input:
+  - "# Allow traffic from wiki"
+  - "ip saddr 204.2.64.19 tcp dport { 4567 } accept"
+
diff --git a/group_vars/mqtt.yaml b/group_vars/mqtt.yaml
index 3b2167b..5b4604d 100644
--- a/group_vars/mqtt.yaml
+++ b/group_vars/mqtt.yaml
@@ -2,3 +2,7 @@
 
 nft_group_rules:
   - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" }
+
+group_nft_input:
+  - ip saddr @trusted4 tcp dport { 1883 } accept
+  - ip6 saddr @trusted6 tcp dport { 1883 } accept