RWejlgaard/pez-infra
1
0
Fork 0
mirror of https://github.com/RWejlgaard/pez-infra.git synced 2026-05-06 04:14:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
pez-infra/ansible/roles/firewall_alpine
History
Rasmus "Pez" Wejlgaard 3c751af3ce
fix(firewall_alpine): replace empty iptables ruleset with proper INPUT filtering (#32) 
* Bind node_exporter to Tailscale IP on public-facing hosts

node_exporter was listening on 0.0.0.0:9100 on helsinki-a and london-a,
exposing metrics to the public internet.

Changes:
- Add node_exporter_bind_tailscale flag (default false) to opt in
- Set flag on helsinki-a and london-a host_vars
- Debian: configure ARGS in /etc/default/prometheus-node-exporter
- FreeBSD: use native node_exporter_listen_address rc.conf variable
- Add handlers to restart on config change

Prometheus already scrapes via Tailscale IPs, no scrape config changes needed.

Fixes PESO-98

* fix(firewall_alpine): replace empty iptables ruleset with proper INPUT filtering

The rules.v4.j2 template deployed a ruleset with INPUT ACCEPT and zero
custom rules — effectively a no-op. nuremberg-a is a public-facing mail
server and needs actual filtering.

Changes:
- INPUT default policy set to DROP
- Allow loopback, established/related, Tailscale interface, SSH, ICMP
- FORWARD stays ACCEPT for Docker port-forwarding
- Added firewall_alpine_extra_input_rules variable for host-specific rules

Mail ports remain handled by Docker's FORWARD chain, not INPUT.

Closes PESO-119
2026-04-02 21:18:11 +01:00
..
defaults capture nuremberg-a firewall rules in pez-infra (#15) 2026-03-29 14:40:10 +01:00
handlers Fix docker-compose package conflict and alpine firewall handler (#22) 2026-03-29 19:11:52 +01:00
tasks capture nuremberg-a firewall rules in pez-infra (#15) 2026-03-29 14:40:10 +01:00
templates fix(firewall_alpine): replace empty iptables ruleset with proper INPUT filtering (#32) 2026-04-02 21:18:11 +01:00