---
firewalld_add:
  - name: internal
    masquerade: false
    forward: true
    interfaces:
      - eth0
    services:
      - dhcpv6-client
      - ssh
      - http
      - https
    ports:
      - 9100/tcp  # node exporter
      - 6443/tcp  # kubernetes API
      - 9345/tcp  # supervisor API
      - 10250/tcp # kubelet metrics
      - 2379/tcp  # etcd client
      - 2380/tcp  # etcd peer
      - 2381/tcp  # etcd metrics
      - 30000-32767/tcp # NodePort range

      # Canal CNI - Default -
      - 8472/udp # canal vxlan
      - 9099/tcp # canal health checks
      - 51820/udp # canal WireGuard IPv4
      - 51821/udp # canal WireGuard IPv6/dual-stack

      # Cilium CNI
      #- 8472/udp  # cilium vxlan
      #- 4240/tcp  # cilium health checks
      #- 8/0/icmp # cilium health checks
      #- 51871/udp # cilium wireguard
      #- 4244/tcp # hubble relay
      #- 4245/tcp # hubble relay
      #- 9962/tcp # cilium agent prometheus
      #- 9963/tcp # cilium operator prometheus
      #- 9964/tcp # cilium proxy prometheus
      #- 2379-2380/tcp # etcd access

      # Calico CNI
      # - 179/tcp # calico bgp
      # - 4789/udp # calico vxlan
      # - 5473/tcp # calico typha
      # - 9098/tcp # calico typha health checks
      # - 9099/tcp # calico health checks
      # - 51820/udp # calico WireGuard IPv4
      # - 51821/udp # calico WireGuard IPv6/dual-stack

      # Flannel CNI
      #- 8472/udp # flannel vxlan
      #- 4789/udp

  - name: trusted
    sources:
      - 10.42.0.0/16
      - 10.43.0.0/16
      - 10.0.0.0/16

firewalld_remove:
  - name: public
    services:
      - dhcpv6-client
      - ssh