blade: restrict ceph firewall rules to storage network

This commit is contained in:
Luke Granger-Brown 2021-03-19 21:27:15 +00:00
parent 4f5f2a780a
commit 9ddb5d75f2

View file

@ -98,8 +98,8 @@ in {
firewall.allowedUDPPorts = [ firewall.allowedUDPPorts = [
41641 # Tailscale 41641 # Tailscale
]; ];
firewall.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ]; firewall.interfaces.en-storage.allowedTCPPorts = lib.mkIf config.services.ceph.enable [ 6789 3300 ];
firewall.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }]; firewall.interfaces.en-storage.allowedTCPPortRanges = lib.mkIf config.services.ceph.enable [{ from = 6800; to = 7300; }];
nat = lib.optionalAttrs (config.my.blade.macAddress.internet != null) { nat = lib.optionalAttrs (config.my.blade.macAddress.internet != null) {
enable = true; enable = true;