From 35c8bbb1ac458f40af27c0f50268dfbca02ab8bf Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Mon, 4 Dec 2023 13:11:05 +0100
Subject: [PATCH] add vserver

---
 hosts/fw.cloonar.com/modules/firewall.nix | 13 ++++++-------
 hosts/fw.cloonar.com/modules/unbound.nix  |  1 -
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index 70f7797..ebdb116 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -127,6 +127,7 @@
             iifname {
               "wan", # disable when final
               "server",
+              "vserver",
               "lan",
               "wg_cloonar"
             } counter accept
@@ -135,8 +136,7 @@
             iifname {
               "lan",
               "server",
-              "vb-*",
-              "podman0",
+              "vserver",
               "infrastructure",
               "wg_cloonar",
               "smart",
@@ -145,7 +145,7 @@
             iifname {
               "lan",
               "server",
-              "podman0",
+              "vserver",
               "vb-*",
               "infrastructure",
               "wg_cloonar",
@@ -177,16 +177,15 @@
 
             # lan and vpn to any
             # TODO: disable wan when finished
-            iifname { "wan", "lan", "server", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "server", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
-            iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept
+            iifname { "wan", "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept
+            iifname { "infrastructure" } oifname { "server", "vserver" } counter accept
 
             # Allow trusted network WAN access
             iifname {
               "lan",
               "infrastructure",
-              "vb-*",
               "server",
-              "podman0",
+              "vserver",
               "multimedia",
               "smart",
               "wg_cloonar",
diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix
index f379b34..6cba5d7 100644
--- a/hosts/fw.cloonar.com/modules/unbound.nix
+++ b/hosts/fw.cloonar.com/modules/unbound.nix
@@ -11,7 +11,6 @@
           "10.42.98.0/24 allow"
           "10.42.99.0/24 allow"
           "10.42.101.0/24 allow"
-          "10.42.254.0/24 allow"
         ];
         tls-cert-bundle = "/var/lib/acme/fw.cloonar.com/fullchain.pem";
         local-zone = "\"cloonar.com\" transparent";