Add firewall rules for Ceph and monitoring

The firewall was blocking the monitoring traffic from hut and the Ceph traffic among OSDs. The rules only allow connecting from the specific host that they are supposed to be coming from. Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
2024-04-24 16:55:06 +02:00 · 2024-04-24 16:55:06 +02:00 · 1aa51a816c
commit 1aa51a816c
parent f90172ab77
2 changed files with 18 additions and 0 deletions
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@ -23,6 +23,16 @@
      address = "10.0.42.40";
      prefixLength = 24;
    } ];
+    firewall = {
+      extraCommands = ''
+        # Accept all incoming TCP traffic from lake2
+        iptables -A nixos-fw -p tcp -s lake2 -j nixos-fw-accept
+        # Accept monitoring requests from hut
+        iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
+        # Accept all Ceph traffic from the local network
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
+      '';
+    };
  };

  services.ceph = {
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@ -45,6 +45,14 @@
      address = "10.0.42.42";
      prefixLength = 24;
    } ];
+    firewall = {
+      extraCommands = ''
+        # Accept all incoming TCP traffic from bay
+        iptables -A nixos-fw -p tcp -s bay -j nixos-fw-accept
+        # Accept monitoring requests from hut
+        iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
+      '';
+    };
  };

  # Missing service for volumes, see: