Commit 181fcbcb authored by kaiyou's avatar kaiyou

Remove separate networks for better isolation

parent 029d4bf4
......@@ -16,10 +16,6 @@ services:
labels:
- traefik.enable=true
- traefik.frontend.rule=HostRegexp:${hostname},{subdomain:[a-z-]+}.${hostname},${extrahosts}
- traefik.docker.network=front_default
networks:
- default
- front
volumes:
- ./conf/wp-config.php:/usr/src/wordpress/wp-config.php
- ./conf/.htaccess:/usr/src/wordpress/.htaccess
......@@ -39,7 +35,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -7,8 +7,6 @@ services:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname}
- traefik.port=8081
networks:
- front
volumes:
- ./data:/zones
ports:
......@@ -39,8 +37,5 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -28,10 +28,6 @@ services:
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname}
- traefik.docker.network=front_default
networks:
- default
- front
volumes:
- ./start.sh:/start.sh
- ./data:/var/www/onlyoffice/Data
......@@ -53,7 +49,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -17,10 +17,6 @@ services:
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname}
- traefik.docker.network=front_default
networks:
- default
- front
volumes:
- ./plugins:/var/www/html/plugins.local
environment:
......@@ -40,7 +36,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -8,8 +8,6 @@ services:
- traefik.frontend.rule=Host:${hostname}
volumes:
- ./data:/data
networks:
- front
environment:
- SITE_NAME
......@@ -18,8 +16,6 @@ services:
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname};PathPrefix:/images/,/thumbs/
networks:
- front
volumes:
- ./old:/usr/share/nginx/html
......@@ -32,6 +28,3 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -18,16 +18,12 @@ services:
depends_on:
- db
- redis
networks:
- default
- front
volumes:
- ./data/public/system:/mastodon/public/system
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname}
- traefik.port=3000
- traefik.docker.network=front_default
streaming:
image: tootsuite/mastodon:${version}
......@@ -36,16 +32,12 @@ services:
depends_on:
- db
- redis
networks:
- default
- front
labels:
- traefik.enable=true
- traefik.protocol=ws
- traefik.frontend.passHostHeader=true
- traefik.frontend.rule=Host:${hostname};PathPrefixStrip:/api/v1/streaming
- traefik.port=4000
- traefik.docker.network=front_default
sidekiq:
image: tootsuite/mastodon:${version}
......@@ -66,8 +58,5 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -6,8 +6,6 @@ services:
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname}
networks:
- front
ports:
- "${ipv4}:10000:10000/udp"
- "${ipv6}:10000:10000/udp"
......@@ -27,7 +25,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -6,8 +6,6 @@ services:
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostnames}
networks:
- front
volumes:
- ./nginx.conf:/etc/nginx/conf.d/nginx.conf
- ./data:/var/www
......@@ -31,7 +29,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -9,9 +9,6 @@ services:
- traefik.frontend.rule=Host:${hostname}
- traefik.port=9001
- traefik.network.default=front_default
networks:
- default
- front
environment:
- ETHERPAD_DB_HOST=db
- ETHERPAD_DB_USER=${MYSQL_USER}
......@@ -37,7 +34,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -9,9 +9,6 @@ services:
- traefik.network.default=front_default
env_file:
- ./.env
networks:
- default
- front
volumes:
- "./storage:/var/www/storage"
......@@ -45,7 +42,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -27,10 +27,6 @@ services:
- traefik.frontend.rule=Host:${hostname}
- traefik.frontend.auth.basic=${auth}
- traefik.port=8888
- traefik.docker.network=front_default
networks:
- default
- front
volumes:
- ./chronograf:/var/lib/chronograf
environment:
......@@ -60,7 +56,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
......@@ -7,10 +7,6 @@ services:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname}
- traefik.port=9000
- traefik.docker.network=front_default
networks:
- default
- front
volumes:
- ./data:/data
environment:
......@@ -59,7 +55,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
#!/usr/sbin/nft -f
{% set nets = [] %}
{% set cross = [] %}
{% set ip4 = [] %}
{% set ip6 = [] %}
{% for network in networks %}
......@@ -8,11 +9,15 @@
{% set r = (nets.append(i) if (network['Driver'] == 'bridge' and network['Attachable'] == True) else 0) %}
{% endfor %}
{% for container in containers %}
{% set network = container['NetworkSettings']['Networks'].values().__iter__().__next__() %}
{% if container['Config']['Labels'].get('traefik.enable') %}
{% set i = ('traefik', network, container['Config']['Labels'].get('traefik.port', 80)) %}
{% set r = cross.append(i) %}
{% endif %}
{% for dspec, sspecs in container['HostConfig']['PortBindings'].items() %}
{% set dport, proto = dspec.split('/') %}
{% for sspec in sspecs %}
{% set saddr, sport = sspec['HostIp'], sspec['HostPort'] %}
{% set network = container['NetworkSettings']['Networks'].values().__iter__().__next__() %}
{% set i = (saddr, sport, proto, dport, network) %}
{% set r = (ip4.append(i) if ':' not in saddr else 0), (ip6.append(i) if '.' not in saddr else 0) %}
{% endfor %}
......@@ -84,6 +89,12 @@ table inet filter {
iif "{{ bridge }}" oif "{{ bridge }}" accept
{% endfor %}
# cross network traffic (mostly traefik for now)
{% for type, network, port in cross %}
ip daddr {{ network["IPAddress"] }} tcp dport {{ port }} accept
ip6 daddr {{ network["GlobalIPv6Address"] }} tcp dport {{ port }} accept
{% endfor %}
# nated traffic
meta mark 1 counter accept
......
......@@ -16,10 +16,6 @@ services:
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:${hostname}
- traefik.docker.network=front_default
networks:
- default
- front
volumes:
- ./moodle:/var/moodledata
- ./config.php:/var/www/html/config.php
......@@ -34,7 +30,4 @@ networks:
config:
- subnet: "${prefix}/64"
gateway: "${prefix}1"
front:
external:
name: front_default
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment