Merge pull request 'k8s firewall' (#26) from earl-warren/documentation:wip-firewall into main

Reviewed-on: https://code.forgejo.org/infrastructure/documentation/pulls/26

README.md

@@ -65,17 +65,36 @@ lxc-helpers.sh lxc_container_user_install $name $(id -u) $USER
 
 ## firewall
 
-Hetzner hosts have a firewall that must be configured from
+```sh
-https://robot.hetzner.com/server to only allow incoming ssh, http,
+sudo apt-get install ufw
-https requests for both IPv4 & IPv6. Each server has a "Firewall" tab
+```
-that provides control over this firewall.
 
-The firewall applies to the VLAN too. The 10.0.0.0/8 source address
+```sh
-must therefore be allowed explicitly for IPv4 and that must be the
+sudo ufw default allow incoming
-first rule of the firewall.
+sudo ufw default allow outgoing
+sudo ufw default allow routed
 
-A template "k8s" was defined that can be used for sharing the same
+ips="88.198.58.177 2a01:4f8:222:507::2" # host specific
-rules between multiple k8s nodes.
+
+for host_ip in $ips ; do
+  sudo ufw allow to $host_ip  port 22 proto tcp
+  sudo ufw deny to $host_ip
+done
+
+for public_ip in 188.40.16.47 2a01:4f8:fff2:48::2 ; do
+  sudo ufw allow to $public_ip  port 22,80,443,2000:3000 proto tcp
+  sudo ufw deny to $public_ip
+done
+```
+
+```sh
+sudo systemctl enable ufw
+sudo ufw enable
+```
+
+```sh
+sudo ufw status verbose
+```
 
 ## nftables