83 lines
1.6 KiB
HCL
83 lines
1.6 KiB
HCL
# create basic firewall for talos
|
|
|
|
resource "hcloud_firewall" "fw_extern" {
|
|
name = "fw_extern"
|
|
|
|
# basic networking
|
|
rule { # icmp
|
|
description = "allow icmp"
|
|
direction = "in"
|
|
protocol = "icmp"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
|
|
# management
|
|
rule { # talos api
|
|
description = "allow talosctl"
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "50000-50001"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
rule { # kube api
|
|
description = "allow kube api"
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "6443"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
rule { # kubespan
|
|
description = "allow kubespan"
|
|
direction = "in"
|
|
protocol = "udp"
|
|
port = "51820"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
|
|
# services
|
|
rule { # http
|
|
description = "allow http"
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "80"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
rule { # https
|
|
description = "allow https"
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "443"
|
|
source_ips = [
|
|
"0.0.0.0/0",
|
|
"::/0"
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "hcloud_firewall" "fw_cluster" {
|
|
name = "fw_cluster"
|
|
rule { # cilium
|
|
description = "allow 10250 for cilium"
|
|
direction = "in"
|
|
protocol = "tcp"
|
|
port = "10250"
|
|
source_ips = [
|
|
for s in concat(hcloud_server.talos_cp, hcloud_server.talos_cp) : "${s.ipv4_address}/32" #format("%s/32", s.ipv4_address)
|
|
]
|
|
}
|
|
}
|