From d51297fec99f9a3652f207bf797b3e1d072815bf Mon Sep 17 00:00:00 2001
From: Gerald Pinder <4626052+gmpinder@users.noreply.github.com>
Date: Sat, 17 May 2025 22:18:15 -0400
Subject: [PATCH] Add more firewall rules

---
 .../etc/NetworkManager/conf.d/rke2-canal.conf    |  2 ++
 .../etc/firewalld/services/rke-common.xml        | 16 ++++++++++++++++
 .../etc/sudoers.d/99_rke2                        |  0
 .../lib/systemd/system/create_rke_user.service   |  0
 .../usr/libexec/rke2/create_rke_user.sh          |  1 +
 .../usr/libexec/rke2/skel/.ssh/authorized_keys   |  0
 .../etc/firewalld/services/rke-server.xml        | 11 +++++++++++
 files/rke_setup/etc/firewalld/services/rke.xml   |  6 ------
 recipes/common/jp-minis.yml                      |  2 +-
 recipes/jp-minis-server.yml                      |  4 ++++
 10 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100644 files/rke-common/etc/NetworkManager/conf.d/rke2-canal.conf
 create mode 100644 files/rke-common/etc/firewalld/services/rke-common.xml
 rename files/{rke_setup => rke-common}/etc/sudoers.d/99_rke2 (100%)
 rename files/{rke_setup => rke-common}/usr/lib/systemd/system/create_rke_user.service (100%)
 rename files/{rke_setup => rke-common}/usr/libexec/rke2/create_rke_user.sh (91%)
 rename files/{rke_setup => rke-common}/usr/libexec/rke2/skel/.ssh/authorized_keys (100%)
 create mode 100644 files/rke-server/etc/firewalld/services/rke-server.xml
 delete mode 100644 files/rke_setup/etc/firewalld/services/rke.xml

diff --git a/files/rke-common/etc/NetworkManager/conf.d/rke2-canal.conf b/files/rke-common/etc/NetworkManager/conf.d/rke2-canal.conf
new file mode 100644
index 0000000..a046a90
--- /dev/null
+++ b/files/rke-common/etc/NetworkManager/conf.d/rke2-canal.conf
@@ -0,0 +1,2 @@
+[keyfile]
+unmanaged-devices=interface-name:flannel*;interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:vxlan-v6.calico;interface-name:wireguard.cali;interface-name:wg-v6.cali
diff --git a/files/rke-common/etc/firewalld/services/rke-common.xml b/files/rke-common/etc/firewalld/services/rke-common.xml
new file mode 100644
index 0000000..657bcb2
--- /dev/null
+++ b/files/rke-common/etc/firewalld/services/rke-common.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>RKE Common</short>
+  <description>Common ports for RKE services.</description>
+  <port protocol="tcp" port="10250"/>
+  <port protocol="tcp" start="30000" end="32767"/>
+  <port protocol="udp" port="8472"/>
+  <port protocol="tcp" port="9099"/>
+  <port protocol="udp" port="51820"/>
+  <port protocol="udp" port="51821"/>
+  <port protocol="tcp" port="179"/>
+  <port protocol="udp" port="4789"/>
+  <port protocol="tcp" port="5473"/>
+  <port protocol="tcp" port="9098"/>
+  <port protocol="tcp" port="9099"/>
+</service>
diff --git a/files/rke_setup/etc/sudoers.d/99_rke2 b/files/rke-common/etc/sudoers.d/99_rke2
similarity index 100%
rename from files/rke_setup/etc/sudoers.d/99_rke2
rename to files/rke-common/etc/sudoers.d/99_rke2
diff --git a/files/rke_setup/usr/lib/systemd/system/create_rke_user.service b/files/rke-common/usr/lib/systemd/system/create_rke_user.service
similarity index 100%
rename from files/rke_setup/usr/lib/systemd/system/create_rke_user.service
rename to files/rke-common/usr/lib/systemd/system/create_rke_user.service
diff --git a/files/rke_setup/usr/libexec/rke2/create_rke_user.sh b/files/rke-common/usr/libexec/rke2/create_rke_user.sh
similarity index 91%
rename from files/rke_setup/usr/libexec/rke2/create_rke_user.sh
rename to files/rke-common/usr/libexec/rke2/create_rke_user.sh
index bc2b7c4..d85f2a2 100755
--- a/files/rke_setup/usr/libexec/rke2/create_rke_user.sh
+++ b/files/rke-common/usr/libexec/rke2/create_rke_user.sh
@@ -10,5 +10,6 @@ fi
 # Add 'rke' to docker group
 echo "Adding 'rke' to docker group"
 usermod -aG docker rke
+usermod -aG systemd-journal rke
 
 echo "Done"
diff --git a/files/rke_setup/usr/libexec/rke2/skel/.ssh/authorized_keys b/files/rke-common/usr/libexec/rke2/skel/.ssh/authorized_keys
similarity index 100%
rename from files/rke_setup/usr/libexec/rke2/skel/.ssh/authorized_keys
rename to files/rke-common/usr/libexec/rke2/skel/.ssh/authorized_keys
diff --git a/files/rke-server/etc/firewalld/services/rke-server.xml b/files/rke-server/etc/firewalld/services/rke-server.xml
new file mode 100644
index 0000000..9ba0838
--- /dev/null
+++ b/files/rke-server/etc/firewalld/services/rke-server.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>RKE Server</short>
+  <description>Ports for RKE server services.</description>
+  <port protocol="tcp" port="6443"/>
+  <port protocol="tcp" port="9345"/>
+  <port protocol="tcp" port="2379"/>
+  <port protocol="tcp" port="2380"/>
+  <port protocol="tcp" port="2381"/>
+</service>
+
diff --git a/files/rke_setup/etc/firewalld/services/rke.xml b/files/rke_setup/etc/firewalld/services/rke.xml
deleted file mode 100644
index 662d740..0000000
--- a/files/rke_setup/etc/firewalld/services/rke.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<service>
-  <short>RKE API</short>
-  <description>Open port 6443 for Kubernetes API Server.</description>
-  <port protocol="tcp" port="6443"/>
-</service>
diff --git a/recipes/common/jp-minis.yml b/recipes/common/jp-minis.yml
index 136874c..20afcb8 100644
--- a/recipes/common/jp-minis.yml
+++ b/recipes/common/jp-minis.yml
@@ -26,7 +26,7 @@ modules:
       - curl -sfL https://get.rke2.io | sh
   - type: files
     files:
-      - source: rke_setup
+      - source: rke-common
         destination: /
   - type: systemd
     system:
diff --git a/recipes/jp-minis-server.yml b/recipes/jp-minis-server.yml
index a00869f..382afd6 100644
--- a/recipes/jp-minis-server.yml
+++ b/recipes/jp-minis-server.yml
@@ -7,6 +7,10 @@ image-version: 42
 description: The image of Wunker OS for JP's Minisforum PCs.
 modules:
   - from-file: common/jp-minis.yml
+  - type: files
+    files:
+      - source: rke-server
+        destination: /
   - type: script
     snippets:
       - curl -sfL https://get.rke2.io | INSTALL_RKE2_SKIP_RELOAD=true sh