joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
rick-infra/roles/podman/templates/podman.nft.j2
Joakim 846ab74f87 Fix Nextcloud DNS resolution and implement systemd cron for background jobs 
- Enable IP forwarding in security playbook (net.ipv4.ip_forward = 1)
- Add podman network firewall rules to fix container DNS/HTTPS access
- Implement systemd timer for reliable Nextcloud background job execution
- Add database optimization tasks (indices, bigint conversion, mimetypes)
- Configure maintenance window (04:00 UTC) and phone region (NO)
- Add security headers (X-Robots-Tag, X-Permitted-Cross-Domain-Policies)
- Create Nextcloud removal playbook for clean uninstall
- Fix nftables interface matching (podman0 vs podman+)

Root cause: nftables FORWARD chain blocked container egress traffic
Solution: Explicit firewall rules for podman0 bridge interface
2025-12-20 19:51:26 +01:00

33 lines
1.5 KiB
Django/Jinja
Raw Permalink Blame History

#!/usr/sbin/nft -f
# =================================================================
# Podman Container Network Firewall Rules
# =================================================================
# Rick-Infra Infrastructure - Podman Role
# Priority: 10 (loaded after base rules, before drop rules)
#
# Purpose:
# - Allow container-to-host communication for services (PostgreSQL, Valkey)
# - Allow container outbound traffic for DNS, package updates, etc.
# - Enable NAT/masquerading for container networks
#
# Security Model:
# - Containers are trusted (they run our own services)
# - All container egress traffic is allowed (simplified management)
# - Container ingress is controlled by application-specific port publishing
#
# Architecture:
# - Containers access host services via Unix sockets or host.containers.internal
# - Caddy reverse proxy handles all external traffic
# - No direct container port exposure to internet
# Add rules to INPUT chain - Allow trusted container subnets
{% for subnet in podman_trusted_subnets %}
add rule inet filter input ip saddr {{ subnet }} accept comment "Podman containers: {{ subnet }}"
{% endfor %}
# Add rules to FORWARD chain - Enable container forwarding
add rule inet filter forward ct state established,related accept comment "Allow established connections"
add rule inet filter forward iifname "podman0" accept comment "Allow outbound from podman bridge"
add rule inet filter forward oifname "podman0" ct state established,related accept comment "Allow inbound to podman bridge (established)"
Reference in New Issue View Git Blame Copy Permalink