diff --git a/nodes/ipfs-1.json b/nodes/ipfs-1.json index 2252a37..637f7f2 100644 --- a/nodes/ipfs-1.json +++ b/nodes/ipfs-1.json @@ -37,13 +37,13 @@ "hostname::default", "ipfs::default", "ipfs::_user", + "firewall::default", + "chef-sugar::default", "kosmos-ipfs::kredits_pinner", "kosmos-nodejs::default", "nodejs::nodejs_from_package", "nodejs::repo", "kosmos-ipfs::firewall_swarm", - "firewall::default", - "chef-sugar::default", "kosmos-nginx::default", "nginx::default", "nginx::package", diff --git a/site-cookbooks/kosmos-ipfs/attributes/default.rb b/site-cookbooks/kosmos-ipfs/attributes/default.rb index e86b20f..ee892d9 100644 --- a/site-cookbooks/kosmos-ipfs/attributes/default.rb +++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb @@ -1,20 +1,55 @@ node.normal['ipfs']['version'] = "0.15.0" node.normal['ipfs']['checksum'] = "5830ce226956c5e2a2de3a3440704402dd3501c43ec16eeec2d61491317005f2" +node.default['kosmos-ipfs']['api']['port'] = 5001 node.default['kosmos-ipfs']['ipfs']['config'] = { # The default gateway is already used by kosmos' hubot (8080) "Addresses.Gateway" => "/ip4/127.0.0.1/tcp/9090", - # Do not keep track of bandwidth metrics. Disabling bandwidth metrics can - # lead to a slight performance improvement, as well as a reduction in memory - # usage. - 'Swarm.DisableBandwidthMetrics' => true, + # API with Web UI + "Addresses.API" => "/ip4/0.0.0.0/tcp/5001", + # Enable bandwith metrics + 'Swarm.DisableBandwidthMetrics' => false, # Disable the p2p-circuit relay transport 'Swarm.Transports.Network.Relay' => false, # Number of connections that, when exceeded, will trigger a connection GC # operation 'Swarm.ConnMgr.HighWater' => 40, # Minimum number of connections to maintain - 'Swarm.ConnMgr.LowWater' => 20 + 'Swarm.ConnMgr.LowWater' => 20, + # Do not dial out to these IP ranges + # We go a bit nuts on the 10.0 range definitions to allow dialouts on our own + # private network + 'Swarm.AddrFilters' => [ + '/ip4/10.128.0.0/ipcidr/9', + '/ip4/10.64.0.0/ipcidr/10', + '/ip4/10.32.0.0/ipcidr/11', + '/ip4/10.16.0.0/ipcidr/12', + '/ip4/10.8.0.0/ipcidr/13', + '/ip4/10.4.0.0/ipcidr/14', + '/ip4/10.2.0.0/ipcidr/15', + '/ip4/10.0.0.0/ipcidr/16', + '/ip4/10.1.128.0/ipcidr/17', + '/ip4/10.1.64.0/ipcidr/18', + '/ip4/10.1.32.0/ipcidr/19', + '/ip4/10.1.16.0/ipcidr/20', + '/ip4/10.1.8.0/ipcidr/21', + '/ip4/10.1.4.0/ipcidr/22', + '/ip4/10.1.2.0/ipcidr/23', + '/ip4/10.1.0.0/ipcidr/24', + '/ip4/100.64.0.0/ipcidr/10', + '/ip4/169.254.0.0/ipcidr/16', + '/ip4/172.16.0.0/ipcidr/12', + '/ip4/192.0.0.0/ipcidr/24', + '/ip4/192.0.0.0/ipcidr/29', + '/ip4/192.0.0.8/ipcidr/32', + '/ip4/192.0.0.170/ipcidr/32', + '/ip4/192.0.0.171/ipcidr/32', + '/ip4/192.0.2.0/ipcidr/24', + '/ip4/192.168.0.0/ipcidr/16', + '/ip4/198.18.0.0/ipcidr/15', + '/ip4/198.51.100.0/ipcidr/24', + '/ip4/203.0.113.0/ipcidr/24', + '/ip4/240.0.0.0/ipcidr/4'], } node.default['kosmos-ipfs']['nginx']['api_port'] = 5001 diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb index 30391bc..66ef62a 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/default.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb @@ -4,6 +4,7 @@ # include_recipe "ipfs" +include_recipe 'firewall' include_recipe "kosmos-ipfs::kredits_pinner" node['kosmos-ipfs']['ipfs']['config'].each do |k, v| @@ -15,3 +16,24 @@ end unless node.chef_environment == "development" include_recipe "kosmos-ipfs::firewall_swarm" end + +firewall_rule 'ipfs_api' do + port node['kosmos-ipfs']['api']['port'] + source "10.1.1.0/24" + protocol :tcp + command :allow +end + +firewall_rule 'ipfs_local_p2p_allow_out' do + destination "10.1.1.0/24" + direction :out + protocol :none + command :allow +end + +firewall_rule 'ipfs_local_p2p_deny_out' do + destination "10.0.0.0/8" + direction :out + protocol :none + command :deny +end