Fix up clippy networking

5 files changed, 68 insertions, 4 deletions

diff --git a/clippy-nspawn.service b/clippy-nspawn.service
index 66b8e85..8dbedbd 100644
--- a/clippy-nspawn.service
+++ b/clippy-nspawn.service
@@ -15,7 +15,7 @@ After=network.target systemd-resolved.service
 RequiresMountsFor=/var/lib/machines
 
 [Service]
-ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --ephemeral --boot --network-veth --port=23:2342 -U --settings=override --machine=clippy
+ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --ephemeral --boot -U --settings=override --machine=clippy
 KillMode=mixed
 Type=notify
 RestartForceExitStatus=133
diff --git a/clippy.nspawn b/clippy.nspawn
new file mode 100644
index 0000000..dfe2935
--- /dev/null
+++ b/clippy.nspawn
@@ -0,0 +1,2 @@
+[Network]
+VirtualEthernet=no
diff --git a/iptables.rules b/iptables.rules
new file mode 100644
index 0000000..0f6f366
--- /dev/null
+++ b/iptables.rules
@@ -0,0 +1,24 @@
+# Generated by iptables-save v1.8.0 on Thu Apr  4 11:06:33 2019
+*nat
+:PREROUTING ACCEPT [13:648]
+:INPUT ACCEPT [8:440]
+:OUTPUT ACCEPT [18:1260]
+:POSTROUTING ACCEPT [18:1260]
+-A PREROUTING -i eth0 -p tcp -m tcp --dport 23 -j REDIRECT --to-ports 2342
+COMMIT
+# Completed on Thu Apr  4 11:06:33 2019
+# Generated by iptables-save v1.8.0 on Thu Apr  4 11:06:33 2019
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [360:761646]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 2342 -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+# Completed on Thu Apr  4 11:06:33 2019
diff --git a/playbook.yml b/playbook.yml
index 60fe499..1c694d5 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -12,7 +12,7 @@
 
     - name: Install host requisites
       dnf:
-          name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git
+          name: nginx,uwsgi,python3-flask,python3-flask-wtf,uwsgi-plugin-python3,certbot,python3-certbot-nginx,libselinux-python,git,iptables-services
           state: latest
 
     - name: Disable password-based root login
@@ -28,6 +28,28 @@
           state: restarted
       when: disable_root_pw_ssh is changed
 
+    - name: Create iptables firewall config dir
+      file:
+        path: /etc/iptables
+        state: directory
+        owner: root
+        group: root
+        mode: 0775
+
+    - name: Configure iptables firewall service
+      copy:
+        src: iptables.rules
+        dest: /etc/iptables/iptables.rules
+        owner: root
+        group: root
+        mode: 0664
+
+    - name: Enable iptables firewall service
+      systemd:
+        name: iptables
+        enabled: yes
+        state: started
+
     - name: Create containers
       include_tasks: setup_containers.yml
       vars:
diff --git a/setup_clippy.yml b/setup_clippy.yml
index e4416e0..26142b6 100644
--- a/setup_clippy.yml
+++ b/setup_clippy.yml
@@ -36,6 +36,22 @@
     group: root
     mode: 0664
 
+- name: Create systemd-nspawn config dir
+  file:
+    path: /etc/systemd/nspawn
+    state: directory
+    owner: root
+    group: root
+    mode: 0775
+
+- name: Copy over clippy container config
+  copy:
+    src: clippy.nspawn
+    dest: /etc/systemd/nspawn/clippy.nspawn
+    owner: root
+    group: root
+    mode: 0664
+
 - name: Enable clippy container auto boot
   systemd:
     daemon-reload: yes
@@ -64,6 +80,6 @@
 #    enabled: yes
 #    state: started
 
-- name: Enable clippy container networkd
-  command: systemctl enable -M clippy systemd-networkd
+#- name: Enable clippy container networkd
+#  command: systemctl enable -M clippy systemd-networkd