Add more firewall rules

2025-05-17 22:18:15 -04:00
parent 4adfb4a2ef
commit d51297fec9
10 changed files with 35 additions and 7 deletions
--- a/files/rke-common/etc/NetworkManager/conf.d/rke2-canal.conf
+++ b/files/rke-common/etc/NetworkManager/conf.d/rke2-canal.conf
@@ -0,0 +1,2 @@
+[keyfile]
+unmanaged-devices=interface-name:flannel*;interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:vxlan-v6.calico;interface-name:wireguard.cali;interface-name:wg-v6.cali
--- a/files/rke-common/etc/firewalld/services/rke-common.xml
+++ b/files/rke-common/etc/firewalld/services/rke-common.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>RKE Common</short>
+  <description>Common ports for RKE services.</description>
+  <port protocol="tcp" port="10250"/>
+  <port protocol="tcp" start="30000" end="32767"/>
+  <port protocol="udp" port="8472"/>
+  <port protocol="tcp" port="9099"/>
+  <port protocol="udp" port="51820"/>
+  <port protocol="udp" port="51821"/>
+  <port protocol="tcp" port="179"/>
+  <port protocol="udp" port="4789"/>
+  <port protocol="tcp" port="5473"/>
+  <port protocol="tcp" port="9098"/>
+  <port protocol="tcp" port="9099"/>
+</service>
--- a/files/rke-common/etc/sudoers.d/99_rke2
+++ b/files/rke-common/etc/sudoers.d/99_rke2
--- a/files/rke-common/usr/lib/systemd/system/create_rke_user.service
+++ b/files/rke-common/usr/lib/systemd/system/create_rke_user.service
--- a/files/rke-common/usr/libexec/rke2/create_rke_user.sh
+++ b/files/rke-common/usr/libexec/rke2/create_rke_user.sh
@@ -10,5 +10,6 @@ fi
 # Add 'rke' to docker group
 echo "Adding 'rke' to docker group"
 usermod -aG docker rke
+usermod -aG systemd-journal rke

 echo "Done"
--- a/files/rke-common/usr/libexec/rke2/skel/.ssh/authorized_keys
+++ b/files/rke-common/usr/libexec/rke2/skel/.ssh/authorized_keys
--- a/files/rke-server/etc/firewalld/services/rke-server.xml
+++ b/files/rke-server/etc/firewalld/services/rke-server.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>RKE Server</short>
+  <description>Ports for RKE server services.</description>
+  <port protocol="tcp" port="6443"/>
+  <port protocol="tcp" port="9345"/>
+  <port protocol="tcp" port="2379"/>
+  <port protocol="tcp" port="2380"/>
+  <port protocol="tcp" port="2381"/>
+</service>
+
--- a/files/rke_setup/etc/firewalld/services/rke.xml
+++ b/files/rke_setup/etc/firewalld/services/rke.xml
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<service>
-  <short>RKE API</short>
-  <description>Open port 6443 for Kubernetes API Server.</description>
-  <port protocol="tcp" port="6443"/>
-</service>
--- a/recipes/common/jp-minis.yml
+++ b/recipes/common/jp-minis.yml
@@ -26,7 +26,7 @@ modules:
      - curl -sfL https://get.rke2.io | sh
  - type: files
    files:
-      - source: rke_setup
+      - source: rke-common
        destination: /
  - type: systemd
    system:
--- a/recipes/jp-minis-server.yml
+++ b/recipes/jp-minis-server.yml
@@ -7,6 +7,10 @@ image-version: 42
 description: The image of Wunker OS for JP's Minisforum PCs.
 modules:
  - from-file: common/jp-minis.yml
+  - type: files
+    files:
+      - source: rke-server
+        destination: /
  - type: script
    snippets:
      - curl -sfL https://get.rke2.io | INSTALL_RKE2_SKIP_RELOAD=true sh