Firewall comments

2024-12-02 21:57:47 +01:00 · 2024-12-02 21:57:47 +01:00 · 69547fc540
commit 69547fc540
parent b51372bfb2
8 changed files with 10 additions and 19 deletions
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@ -20,7 +20,7 @@ trusted_ranges:
 #  - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset
  - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
  - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
-  - { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "eventinfra v6-range" }
+  - { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "bitlair space v6-range" }
  - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" }
 trusted_ports:
  - ssh
--- a/group_vars/fotos.yaml
+++ b/group_vars/fotos.yaml
@ -11,6 +11,5 @@ trusted_ports:
  - microsoft-ds

 group_nft_input:
-  - "# Allow traffic from wiki"
-  - "ip saddr 204.2.64.19 tcp dport { 4567 } accept"
+  - "ip saddr 204.2.64.19 tcp dport { 4567 } accept # Allow traffic from wiki"

--- a/group_vars/git.yaml
+++ b/group_vars/git.yaml
@ -7,8 +7,7 @@ git_server_title: Gitlair
 git_server_bootstrap_cert: no

 group_nft_input:
-  - "# Allow ssh(git) + web-traffic from world"
-  - "tcp dport { ssh, http, https } accept"
+  - "tcp dport { ssh, http, https } accept # Allow ssh(git) + web-traffic from world"

 nginx_client_max_body_size: 4G

--- a/group_vars/homeassistant.yaml
+++ b/group_vars/homeassistant.yaml
@ -3,10 +3,8 @@ acme_san_domains:
  - [ homeassistant.bitlair.nl ]

 group_nft_input:
-  - "# Allow web-traffic from world"
-  - "tcp dport { http, https } accept"
-  - "# mqtt from world"
-  - "tcp dport { 1883 } accept"
+  - "tcp dport { http, https } accept # Allow web-traffic from world"
+  - "tcp dport { 1883 } accept # mqtt from world"

 nginx_sites:
  - server_name: "homeassistant.bitlair.nl"
--- a/group_vars/monitoring.yaml
+++ b/group_vars/monitoring.yaml
@ -4,8 +4,7 @@ acme_san_domains:
  - ["{{ monitoring_domain }}"]

 group_nft_input:
-  - "# Allow web-traffic from world"
-  - "tcp dport { http, https } accept"
+  - "tcp dport { http, https } accept # Allow web-traffic from world"

 prometheus_scrape_configs:
  - job_name: "node"
--- a/group_vars/pad.yaml
+++ b/group_vars/pad.yaml
@ -25,5 +25,4 @@ nginx_sites:
      - "}"

 group_nft_input:
-  - "# Allow web-traffic from world"
-  - "tcp dport { http, https } accept"
+  - "tcp dport { http, https } accept # Allow web-traffic from world"
--- a/group_vars/shell.yaml
+++ b/group_vars/shell.yaml
@ -3,5 +3,4 @@
 manage_sshd_config: false

 group_nft_input:
-  - "# Allow SSH from world"
-  - "tcp dport { ssh } accept"
+  - "tcp dport { ssh } accept # Allow SSH from world"
--- a/group_vars/wiki.yaml
+++ b/group_vars/wiki.yaml
@ -5,10 +5,8 @@ acme_san_domains:
  - [ ravespace.nl ]

 group_nft_input:
-  - "# Allow web-traffic from world"
-  - "tcp dport { http, https } accept"
-  - "# mqtt from world"
-  - "tcp dport { 1883 } accept"
+  - "tcp dport { http, https } accept # Allow web-traffic from world"
+  - "tcp dport { 1883 } accept # mqtt from world"

 nginx_sites:
  - server_name: "bitlair.nl"