sjat
3b30e70ba5
Adds a public (0.0.0.0/0) zone and askari's Caddy (80/443) + NetBird STUN (3478/udp) ingress so the base nftables default-deny does not drop the live public services when applied to askari. Molecule + filter unit test cover the public-zone rendering. Mesh-hardening 1/3 (ADR-020/024/016). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
28 lines
1 KiB
YAML
28 lines
1 KiB
YAML
---
|
|
# Shared firewall topology — single source of truth for the host nftables layer
|
|
# (base role) and OPNsense (future). See docs/decisions/020-firewall.md.
|
|
|
|
# Zone → subnet (from ADR-007). `public` = the WAN (anywhere) for deliberately public
|
|
# off-site services (askari); home/cluster services use the internal zones only.
|
|
firewall_zones:
|
|
mgmt: 10.10.0.0/24
|
|
srv: 10.20.0.0/24
|
|
lan: 10.30.0.0/24
|
|
iot: 10.40.0.0/24
|
|
guest: 10.50.0.0/24
|
|
public: 0.0.0.0/0
|
|
|
|
# Service catalog: <name> → placement (host | group | hosts) + ingress[].
|
|
# askari's public surface (ADR-024 Caddy + ADR-016 NetBird STUN). NOTE: the host
|
|
# nftables template renders IPv4 source rules only; askari is reached via its A record
|
|
# (no AAAA), so IPv4-only public rules are sufficient (see the spec's IPv6 note).
|
|
firewall_catalog:
|
|
reverse_proxy:
|
|
host: askari
|
|
ingress:
|
|
- { from: public, port: 80, proto: tcp }
|
|
- { from: public, port: 443, proto: tcp }
|
|
netbird_stun:
|
|
host: askari
|
|
ingress:
|
|
- { from: public, port: 3478, proto: udp }
|