diff --git a/m/common/base/ssh.nix b/m/common/base/ssh.nix index 7d7b939d..b5310762 100644 --- a/m/common/base/ssh.nix +++ b/m/common/base/ssh.nix @@ -10,7 +10,7 @@ in # Connect to intranet git hosts via proxy programs.ssh.extraConfig = '' - Host bscpm02.bsc.es bscpm03.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es + Host bscpm02.bsc.es bscpm03.bsc.es bscpm04.bsc.es gitlab-internal.bsc.es alya.gitlab.bsc.es User git ProxyCommand nc -X connect -x hut:23080 %h %p @@ -22,6 +22,7 @@ in programs.ssh.knownHosts = hostsKeys // { "gitlab-internal.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3"; "bscpm03.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM2NuSUPsEhqz1j5b4Gqd+MWFnRqyqY57+xMvBUqHYUS"; + "bscpm04.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT"; "glogin1.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz"; "glogin2.bsc.es".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsHsZGCrzpd4QDVn5xoDOtrNBkb0ylxKGlyBt6l9qCz"; }; diff --git a/m/hut/gitlab-runner.nix b/m/hut/gitlab-runner.nix index 9241e5de..2fe7c1cb 100644 --- a/m/hut/gitlab-runner.nix +++ b/m/hut/gitlab-runner.nix @@ -97,12 +97,13 @@ }; }; - # DOCKER* chains are useless, override at FORWARD + # DOCKER* chains are useless, override at FORWARD and nixos-fw networking.firewall.extraCommands = '' - # Allow docker to use our proxy - iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept - # Block anything else coming from docker - iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse + # Don't forward any traffic from docker + iptables -I FORWARD 1 -p all -i docker0 -j nixos-fw-log-refuse + + # Allow incoming traffic from docker to 23080 + iptables -A nixos-fw -p tcp -i docker0 -d hut --dport 23080 -j ACCEPT ''; #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash";