From 9ddb5d75f2f9bcb105941bac6d6a08a4edcad833 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Fri, 19 Mar 2021 21:27:15 +0000
Subject: [PATCH] blade: restrict ceph firewall rules to storage network

---
 ops/nixos/lib/blade.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ops/nixos/lib/blade.nix b/ops/nixos/lib/blade.nix
index baef3b29d6..fbedc93176 100644
--- a/ops/nixos/lib/blade.nix
+++ b/ops/nixos/lib/blade.nix
@@ -98,8 +98,8 @@ in {
       firewall.allowedUDPPorts = [
         41641 # Tailscale
       ];
-      firewall.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
-      firewall.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
+      firewall.interfaces.en-storage.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
+      firewall.interfaces.en-storage.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
 
       nat = lib.optionalAttrs (config.my.blade.macAddress.internet != null) {
         enable = true;