From ea49d762d140c4cf164bb7f689a02e4d569e92bd Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Mon, 17 Feb 2025 15:28:24 +0100
Subject: [PATCH] MERGEME: Only expose proxy to docker

---
 m/hut/configuration.nix | 2 --
 m/hut/gitlab-runner.nix | 8 ++++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/m/hut/configuration.nix b/m/hut/configuration.nix
index 11078d26..66cc8811 100644
--- a/m/hut/configuration.nix
+++ b/m/hut/configuration.nix
@@ -55,8 +55,6 @@
         # Accept all proxy traffic from compute nodes but not the login
         iptables -A nixos-fw -p tcp -s 10.0.40.30 --dport 23080 -j nixos-fw-log-refuse
         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 23080 -j nixos-fw-accept
-        # Allow docker to use our proxy
-        iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept
       '';
     };
   };
diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix
index c941e1de..860b37c7 100644
--- a/m/hut/gitlab-runner.nix
+++ b/m/hut/gitlab-runner.nix
@@ -97,6 +97,14 @@
     };
   };
 
+  # DOCKER* chains are useless, override at FORWARD
+  networking.firewall.extraCommands = ''
+    # Allow docker to use our proxy
+    iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept
+    # Block anything else coming from docker
+    iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse
+  '';
+
   #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash";
   systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false;
   systemd.services.gitlab-runner.serviceConfig.User = "gitlab-runner";