914538eed1
Architektur-Pivot: nginx fällt komplett weg. HAProxy 2.8+ übernimmt
TLS-Termination, L7-Routing per Host-Header und LB. ACME-Webroot
und Management-UI werden von edgeguard-api ausgeliefert (Phase 3
implementiert die zugehörigen Handler); HAProxy proxied
/.well-known/acme-challenge/* und Management-FQDN-Traffic an
127.0.0.1:9443. Eine Distro-Abhängigkeit weniger, ein Renderer
weniger, sauberere Trennung.
Renderer (alle mit Embed-Templates + Tests):
* internal/configgen/ — atomic write + systemctl reload helpers
* internal/haproxy/ — :80 + :443, ACME-ACL, Host-Header-Routing,
Stats-Frontend, api_backend Fallback
* internal/firewall/ — default-deny input, stateful baseline,
SSH-Rate-Limit, :80/:443 accept,
Cluster-Peer-Set für mTLS :8443,
Custom-Rules aus PG
* internal/{squid,wireguard,unbound}/ — Stubs (ErrNotImplemented)
Orchestrator + CLI:
* internal/services/configorch/ — fester Reihenfolge-Run, Stubs
sind soft-skip statt fatal
* cmd/edgeguard-ctl render-config [--no-reload] [--only=svc1,svc2]
Packaging:
* postinst: /etc/edgeguard/nginx raus, /var/lib/edgeguard/acme rein,
self-signed _default.pem via openssl req (damit HAProxy startet
bevor certbot etwas issuet hat)
* control: Depends nginx raus, openssl rein
* edgeguard-ui: dependency auf nginx weg, "Served by edgeguard-api
gin StaticFS"
Live-Smoke: render-config gegen lokale PG schreibt /etc/edgeguard/
haproxy/haproxy.cfg + nftables.d/ruleset.nft korrekt; CRUD-Test aus
Phase 2 läuft weiter unverändert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
70 lines
2.2 KiB
Smarty
70 lines
2.2 KiB
Smarty
#!/usr/sbin/nft -f
|
|
# Generated by edgeguard-api — DO NOT EDIT.
|
|
# Source: internal/firewall/firewall.go (template: ruleset.nft.tpl).
|
|
# Re-generate via `edgeguard-ctl render-config`.
|
|
|
|
flush ruleset
|
|
|
|
table inet edgeguard {
|
|
set peer_ipv4 {
|
|
type ipv4_addr; flags interval
|
|
{{- if .PeerIPv4}}
|
|
elements = { {{range $i, $ip := .PeerIPv4}}{{if $i}}, {{end}}{{$ip}}{{end}} }
|
|
{{- end}}
|
|
}
|
|
set peer_ipv6 {
|
|
type ipv6_addr; flags interval
|
|
{{- if .PeerIPv6}}
|
|
elements = { {{range $i, $ip := .PeerIPv6}}{{if $i}}, {{end}}{{$ip}}{{end}} }
|
|
{{- end}}
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Stateful baseline
|
|
ct state established,related accept
|
|
ct state invalid drop
|
|
iif lo accept
|
|
|
|
# ICMP — keep PMTUD and basic diagnostics
|
|
ip protocol icmp icmp type { echo-request, destination-unreachable, time-exceeded, parameter-problem } accept
|
|
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
|
|
|
|
# SSH — rate-limit to keep brute-force out of the auth log
|
|
tcp dport 22 ct state new limit rate 10/minute accept
|
|
tcp dport 22 drop
|
|
|
|
# Public ingress: HAProxy terminates TLS on :443 and serves :80
|
|
tcp dport { 80, 443 } accept
|
|
|
|
# Cluster-internal: peers reach edgeguard-api over mTLS on :8443
|
|
tcp dport 8443 ip saddr @peer_ipv4 accept
|
|
tcp dport 8443 ip6 saddr @peer_ipv6 accept
|
|
|
|
{{- range .CustomRulesInput}}
|
|
# {{.Comment}}
|
|
{{.MatchExpr}} {{.Action}}
|
|
{{- end}}
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
ct state established,related accept
|
|
ct state invalid drop
|
|
|
|
{{- range .CustomRulesForward}}
|
|
# {{.Comment}}
|
|
{{.MatchExpr}} {{.Action}}
|
|
{{- end}}
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
{{- range .CustomRulesOutput}}
|
|
# {{.Comment}}
|
|
{{.MatchExpr}} {{.Action}}
|
|
{{- end}}
|
|
}
|
|
}
|