From 03680a992b627cda620ad3a3fd1ba9c725bfc371 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 28 Oct 2020 16:55:11 +0100 Subject: Switch Matrix+Plume to IPv6, Add Trusted Net to ip6tables --- app/config/configuration/plume/app.env | 2 +- app/deployment/im.hcl | 20 +++++++------------- app/deployment/plume.hcl | 11 +++++------ os/config/roles/network/templates/rules.v6 | 27 +++++++++++++++++++++++++++ 4 files changed, 40 insertions(+), 20 deletions(-) diff --git a/app/config/configuration/plume/app.env b/app/config/configuration/plume/app.env index 78eccfe..4a6adb4 100644 --- a/app/config/configuration/plume/app.env +++ b/app/config/configuration/plume/app.env @@ -16,7 +16,7 @@ DATABASE_URL=postgres://plume:{{ key "secrets/plume/pgsql_pw" | trimSpace }}@psq MIGRATION_DIRECTORY=migrations/postgres USE_HTTPS=0 -ROCKET_ADDRESS=0.0.0.0 +ROCKET_ADDRESS=:: ROCKET_PORT=7878 MEDIA_UPLOAD_DIRECTORY=/app/static/media diff --git a/app/deployment/im.hcl b/app/deployment/im.hcl index f76fb73..dfff98b 100644 --- a/app/deployment/im.hcl +++ b/app/deployment/im.hcl @@ -9,11 +9,8 @@ job "im" { config { image = "superboum/amd64_synapse:v36" + network_mode = "host" readonly_rootfs = true - port_map { - client_port = 8008 - federation_port = 8448 - } command = "python" args = [ "-m", "synapse.app.homeserver", @@ -95,16 +92,12 @@ job "im" { resources { cpu = 1000 memory = 4000 - network { - port "client_port" { } - port "federation_port" { } - } } service { name = "synapse-client" - port = "client_port" - address_mode = "host" + port = 8008 + address_mode = "driver" tags = [ "matrix", "traefik.enable=true", @@ -115,7 +108,8 @@ job "im" { ] check { type = "tcp" - port = "client_port" + port = 8008 + address_mode = "driver" interval = "60s" timeout = "5s" check_restart { @@ -128,8 +122,8 @@ job "im" { service { name = "synapse-federation" - port = "federation_port" - address_mode = "host" + port = 8448 + address_mode = "driver" tags = [ "matrix", "traefik.enable=true", diff --git a/app/deployment/plume.hcl b/app/deployment/plume.hcl index 376789b..88110da 100644 --- a/app/deployment/plume.hcl +++ b/app/deployment/plume.hcl @@ -13,9 +13,7 @@ job "plume" { driver = "docker" config { image = "superboum/plume:v1" - port_map { - web_port = 7878 - } + network_mode = "host" #command = "cat" #args = [ "/dev/stdout" ] volumes = [ @@ -51,11 +49,12 @@ job "plume" { "traefik.frontend.entryPoints=https,http", "traefik.frontend.rule=Host:plume.deuxfleurs.fr", ] - port = "web_port" - address_mode = "host" + port = 7878 + address_mode = "driver" check { type = "tcp" - port = "web_port" + port = 7878 + address_mode = "driver" interval = "60s" timeout = "5s" check_restart { diff --git a/os/config/roles/network/templates/rules.v6 b/os/config/roles/network/templates/rules.v6 index 50737a0..7cac66e 100644 --- a/os/config/roles/network/templates/rules.v6 +++ b/os/config/roles/network/templates/rules.v6 @@ -3,6 +3,10 @@ :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] +# Declaring our chains +-N DEUXFLEURS-TRUSTED-NET +-N DEUXFLEURS-TRUSTED-PORT + # Internet Control Message Protocol # (required) -A INPUT -p icmp -j ACCEPT @@ -21,6 +25,29 @@ -A INPUT -s ::1/128 -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +# Who is part of our trusted net? +# Max@Bruxelles +-A DEUXFLEURS-TRUSTED-NET -s 2a02:1811:3606:4800::0/64 -j DEUXFLEURS-TRUSTED-PORT +# Max@Suresnes +-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:183:7be2::0/64 -j DEUXFLEURS-TRUSTED-PORT +# LX@Rennes +-A DEUXFLEURS-TRUSTED-NET -s 2a02:8428:81d6:6901::0/64 -j DEUXFLEURS-TRUSTED-PORT +# ADRN@Gandi +-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT +# Quentin@Rennes +-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT +# Source address is not trusted +-A DEUXFLEURS-TRUSTED-NET -j RETURN + +# What can do our trusted net? +# Access garage basically +-A DEUXFLEURS-TRUSTED-PORT -p tcp --dport 3901 -j ACCEPT +# Port is not allowed +-A DEUXFLEURS-TRUSTED-PORT -j RETURN + +# Let's check if the user comes from our trusted network +-A INPUT -j DEUXFLEURS-TRUSTED-NET + COMMIT *nat -- cgit v1.2.3