MERGEME: Only expose proxy to docker

2025-02-17 15:28:24 +01:00
parent ab82757b42
commit ea49d762d1
2 changed files with 8 additions and 2 deletions
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -55,8 +55,6 @@
        # Accept all proxy traffic from compute nodes but not the login
        iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse
        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept
-        # Allow docker to use our proxy
-        iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept
      '';
    };
  };
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -97,6 +97,14 @@
    };
  };

+  # DOCKER* chains are useless, override at FORWARD
+  networking.firewall.extraCommands = ''
+    # Allow docker to use our proxy
+    iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept
+    # Block anything else coming from docker
+    iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse
+  '';
+
  #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash";
  systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false;
  systemd.services.gitlab-runner.serviceConfig.User = "gitlab-runner";