2026-06-06 18:49:40 +02:00
|
|
|
---
|
|
|
|
|
# Shared firewall topology — single source of truth for the host nftables layer
|
|
|
|
|
# (base role) and OPNsense (future). See docs/decisions/020-firewall.md.
|
|
|
|
|
|
2026-06-17 20:46:03 +02:00
|
|
|
# Zone → subnet (from ADR-007). `public` = the WAN (anywhere) for deliberately public
|
|
|
|
|
# off-site services (askari); home/cluster services use the internal zones only.
|
2026-06-06 18:49:40 +02:00
|
|
|
firewall_zones:
|
|
|
|
|
mgmt: 10.10.0.0/24
|
|
|
|
|
srv: 10.20.0.0/24
|
|
|
|
|
lan: 10.30.0.0/24
|
|
|
|
|
iot: 10.40.0.0/24
|
|
|
|
|
guest: 10.50.0.0/24
|
2026-06-17 20:46:03 +02:00
|
|
|
public: 0.0.0.0/0
|
2026-06-06 18:49:40 +02:00
|
|
|
|
|
|
|
|
# Service catalog: <name> → placement (host | group | hosts) + ingress[].
|
2026-06-17 20:46:03 +02:00
|
|
|
# askari's public surface (ADR-024 Caddy + ADR-016 NetBird STUN). NOTE: the host
|
|
|
|
|
# nftables template renders IPv4 source rules only; askari is reached via its A record
|
|
|
|
|
# (no AAAA), so IPv4-only public rules are sufficient (see the spec's IPv6 note).
|
|
|
|
|
firewall_catalog:
|
|
|
|
|
reverse_proxy:
|
|
|
|
|
host: askari
|
|
|
|
|
ingress:
|
|
|
|
|
- { from: public, port: 80, proto: tcp }
|
|
|
|
|
- { from: public, port: 443, proto: tcp }
|
|
|
|
|
netbird_stun:
|
|
|
|
|
host: askari
|
|
|
|
|
ingress:
|
|
|
|
|
- { from: public, port: 3478, proto: udp }
|