From 1c55bccf91b65cc01c06241cc40beefca68712b9 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 30 Oct 2022 01:17:10 +0200
Subject: [PATCH] chore(iot): Restrict to local and VPN traffic
This patch restricts access from the internet to IoT devices. It's now
limited to the local network and VPN access, which reduces the risk of
an attack and improves the multi-layer security.
---
apps/k8s01/iot/rainer.yaml | 10 +++++----
apps/k8s01/iot/shelly.yaml | 44 ++++++++++++++++++++++----------------
2 files changed, 32 insertions(+), 22 deletions(-)
diff --git a/apps/k8s01/iot/rainer.yaml b/apps/k8s01/iot/rainer.yaml
index e6e2c0d5f..44f730617 100644
--- a/apps/k8s01/iot/rainer.yaml
+++ b/apps/k8s01/iot/rainer.yaml
@@ -16,8 +16,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-11T13:22:25Z"
- mac: ENC[AES256_GCM,data:t3k/mWa6ixw39Pvh0nZPNY8txZFj8d18Me3rZXBFz3noZOA6k2XFH99wi6GaXhGwhrSZ0MH6UKC8j0iLF/dG8z65jsyCay4ADVK87F9B2TjN/jgpBSS0vqbaTK13pAJSO2YWVa6LCIz2NFjXDn10K077AwvMDQF3nTOgOJujtRs=,iv:R36OowB3lNoHQUm+P/vEiawSaZS9RWC7HmvYn7NWY7A=,tag:+9mrZGHkJBtMQpWu17hlJA==,type:str]
+ lastmodified: "2022-10-29T23:15:58Z"
+ mac: ENC[AES256_GCM,data:hTmGPhatiM9MXUMZGnxOaN/utUX65i/UdrKl5uR+wBHESrCfSqDAIU1U9uRgL5bYZ2acCfP1zA2wAwRmhn7jqWpvrzcPsQm9JrPgirln3rL/HbKbTTWV9pC2Qxcduomh1Vuaxoiq5x378ogyjbFcUL97v7njKtsPdiaUyszHlcw=,iv:qKENbAB7w6qv9r7TsETHkqbIzax2bhyesr/fESvecSw=,tag:w0WvQ9C0nK+0WoxR0g4MiA==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -72,6 +72,8 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Rainer
forecastle.stakater.com/group: IoT
+ forecastle.stakater.com/network-restricted: "true"
+ nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.218/32
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:jKiHDoG05AspEOjtaHqDMJSR7JJWWxtIdg==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:u3D0MZQR/yVynTH1cu4KwQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
@@ -105,8 +107,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-11T13:22:25Z"
- mac: ENC[AES256_GCM,data:t3k/mWa6ixw39Pvh0nZPNY8txZFj8d18Me3rZXBFz3noZOA6k2XFH99wi6GaXhGwhrSZ0MH6UKC8j0iLF/dG8z65jsyCay4ADVK87F9B2TjN/jgpBSS0vqbaTK13pAJSO2YWVa6LCIz2NFjXDn10K077AwvMDQF3nTOgOJujtRs=,iv:R36OowB3lNoHQUm+P/vEiawSaZS9RWC7HmvYn7NWY7A=,tag:+9mrZGHkJBtMQpWu17hlJA==,type:str]
+ lastmodified: "2022-10-29T23:15:58Z"
+ mac: ENC[AES256_GCM,data:hTmGPhatiM9MXUMZGnxOaN/utUX65i/UdrKl5uR+wBHESrCfSqDAIU1U9uRgL5bYZ2acCfP1zA2wAwRmhn7jqWpvrzcPsQm9JrPgirln3rL/HbKbTTWV9pC2Qxcduomh1Vuaxoiq5x378ogyjbFcUL97v7njKtsPdiaUyszHlcw=,iv:qKENbAB7w6qv9r7TsETHkqbIzax2bhyesr/fESvecSw=,tag:w0WvQ9C0nK+0WoxR0g4MiA==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
diff --git a/apps/k8s01/iot/shelly.yaml b/apps/k8s01/iot/shelly.yaml
index a680df47f..a92d15913 100644
--- a/apps/k8s01/iot/shelly.yaml
+++ b/apps/k8s01/iot/shelly.yaml
@@ -16,8 +16,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -72,6 +72,8 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Shelly01
forecastle.stakater.com/group: IoT
+ forecastle.stakater.com/network-restricted: "true"
+ nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.218/32
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
@@ -105,8 +107,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -170,8 +172,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -226,6 +228,8 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Shelly02
forecastle.stakater.com/group: IoT
+ forecastle.stakater.com/network-restricted: "true"
+ nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.218/32
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
@@ -259,8 +263,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -324,8 +328,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -380,6 +384,8 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Humidity & Temprature 01
forecastle.stakater.com/group: IoT
+ forecastle.stakater.com/network-restricted: "true"
+ nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.218/32
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
@@ -413,8 +419,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -478,8 +484,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -534,6 +540,8 @@ metadata:
forecastle.stakater.com/expose: "true"
forecastle.stakater.com/appName: Humidity & Temprature 02
forecastle.stakater.com/group: IoT
+ forecastle.stakater.com/network-restricted: "true"
+ nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.218/32
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: ENC[AES256_GCM,data:LtmYhpd4lLnuyYH9mF8aHNzChLTmrwgtCw==,iv:Dl/5jLP9WVl6oZ26TvUbWPNI6U50hOI6YAKFx4rU65Y=,tag:MUA/yQ+SrJ8F2meqqwlQEQ==,type:str]
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
@@ -567,8 +575,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
@@ -628,8 +636,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2022-10-19T12:13:53Z"
- mac: ENC[AES256_GCM,data:cW9/LrYVnvAKQq5SC6bglyuitJqKA9XoUaSaCS0mGjUWTX8GHYLpT0RGoviwjl9ooNk9gwHcZ2THD0cW8r9cbZauVtsiwwD7vbPrKJaAbyms0EYdo9TksCE2EqFVZIg8uLVrNcYc2g+i9HEr+U50TqGlg1jzbs5IyG8t05BKxrY=,iv:eaotNSNrTERUdbHKknmSUuEBk76wlignjlu5LB0yBqQ=,tag:Di3Nup1zflNFZSjkRvNbgQ==,type:str]
+ lastmodified: "2022-10-29T23:16:41Z"
+ mac: ENC[AES256_GCM,data:tnVW6e6MzvneZobvPSp38dKosyWwBuvTk2W/2tQTErVdMvKSCLvrcnYEOzzYxKzbTuO3zKi++g100k45So6glG1vR/dUR8GUTlXZll8e85KueouW0CaxDCQc9C3TX6H0tCI+nWRvF4lvYqyOFZHY39MWIS87+aKC4d37ITmfed8=,iv:/TzT+OX6nCnVXpE5v8TbN55pJHaGfgw9CpEx+gkk51I=,tag:PP5Ns6y+zj9ELj9PcLH8ZQ==,type:str]
pgp:
- created_at: "2022-09-13T20:16:18Z"
enc: |-
--
GitLab