From 2d856a1e9a61382d7e1e53d215a16f883918c88a Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Mon, 16 Nov 2020 16:35:01 +0100
Subject: [PATCH] bundles/nginx: add iptables rules

---
 bundles/nginx/metadata.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py
index 79e0fd1..70bd599 100644
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@@ -124,3 +124,26 @@ def monitoring(metadata):
             },
         },
     }
+
+
+@metadata_reactor
+def iptables(metadata):
+    interfaces = metadata.get('nginx/restrict-to-interfaces', set())
+    iptables = []
+
+    if len(interfaces):
+        for iface in sorted(interfaces):
+            iptables.append(f'iptables -A INPUT -i {iface} -p tcp --dport 80 -j ACCEPT')
+            iptables.append(f'iptables -A INPUT -i {iface} -p tcp --dport 443 -j ACCEPT')
+
+    else:
+        iptables.append('iptables -A INPUT -p tcp --dport 80 -j ACCEPT')
+        iptables.append('iptables -A INPUT -p tcp --dport 443 -j ACCEPT')
+
+    return {
+        'iptables': {
+            'bundle_rules': {
+                'nginx': iptables,
+            },
+        },
+    }