mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-05-06 04:14:43 +00:00
Rasmus "Pez" Wejlgaard
3c751af3ce
* Bind node_exporter to Tailscale IP on public-facing hosts node_exporter was listening on 0.0.0.0:9100 on helsinki-a and london-a, exposing metrics to the public internet. Changes: - Add node_exporter_bind_tailscale flag (default false) to opt in - Set flag on helsinki-a and london-a host_vars - Debian: configure ARGS in /etc/default/prometheus-node-exporter - FreeBSD: use native node_exporter_listen_address rc.conf variable - Add handlers to restart on config change Prometheus already scrapes via Tailscale IPs, no scrape config changes needed. Fixes PESO-98 * fix(firewall_alpine): replace empty iptables ruleset with proper INPUT filtering The rules.v4.j2 template deployed a ruleset with INPUT ACCEPT and zero custom rules — effectively a no-op. nuremberg-a is a public-facing mail server and needs actual filtering. Changes: - INPUT default policy set to DROP - Allow loopback, established/related, Tailscale interface, SSH, ICMP - FORWARD stays ACCEPT for Docker port-forwarding - Added firewall_alpine_extra_input_rules variable for host-specific rules Mail ports remain handled by Docker's FORWARD chain, not INPUT. Closes PESO-119
33 lines
888 B
Django/Jinja
33 lines
888 B
Django/Jinja
# {{ ansible_managed }}
|
|
# iptables rules for {{ inventory_hostname }}
|
|
#
|
|
# Docker and Tailscale manage their own chains automatically.
|
|
# This file captures non-Docker, non-Tailscale INPUT rules only.
|
|
#
|
|
# Mail ports (25,80,110,143,443,465,587,993,995) are exposed via
|
|
# Docker port mappings — traffic goes through FORWARD, not INPUT.
|
|
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
# Allow loopback
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# Allow established and related connections
|
|
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Allow all traffic on Tailscale interface
|
|
-A INPUT -i tailscale0 -j ACCEPT
|
|
|
|
# Allow SSH (public access — fail2ban provides brute-force protection)
|
|
-A INPUT -p tcp --dport 22 -j ACCEPT
|
|
|
|
# Allow ICMP (ping)
|
|
-A INPUT -p icmp -j ACCEPT
|
|
|
|
{% for rule in firewall_alpine_extra_input_rules | default([]) %}
|
|
{{ rule }}
|
|
{% endfor %}
|
|
COMMIT
|