From c9f008ad82f5fac46f637c3be1137e1be206dfbd Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 21 Mar 2021 10:37:28 +0100
Subject: [PATCH] bundles/openssh: move iptables rules to metadata reactor

---
 bundles/iptables/files/00-defaults |  1 -
 bundles/iptables/items.py          |  5 -----
 bundles/openssh/metadata.py        | 14 ++++++++++++++
 3 files changed, 14 insertions(+), 6 deletions(-)
 delete mode 100644 bundles/iptables/files/00-defaults

diff --git a/bundles/iptables/files/00-defaults b/bundles/iptables/files/00-defaults
deleted file mode 100644
index af1ca28..0000000
--- a/bundles/iptables/files/00-defaults
+++ /dev/null
@@ -1 +0,0 @@
-iptables_both -A INPUT -p tcp --dport 22 -j ACCEPT
diff --git a/bundles/iptables/items.py b/bundles/iptables/items.py
index 69fba15..d0bf6b3 100644
--- a/bundles/iptables/items.py
+++ b/bundles/iptables/items.py
@@ -21,11 +21,6 @@ files = {
             'action:iptables_enforce',
         },
     },
-    '/etc/iptables-rules.d/00-defaults': {
-        'triggers': {
-            'action:iptables_enforce',
-        },
-    },
 }
 
 for bundle, rules in node.metadata.get('iptables/bundle_rules', {}).items():
diff --git a/bundles/openssh/metadata.py b/bundles/openssh/metadata.py
index d3e805c..ebc8854 100644
--- a/bundles/openssh/metadata.py
+++ b/bundles/openssh/metadata.py
@@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
     'apt': {
         'packages': {
@@ -12,3 +14,15 @@ defaults = {
         },
     },
 }
+
+@metadata_reactor.provides(
+    'iptables/port_rules/22',
+)
+def iptables(metadata):
+    return {
+        'iptables': {
+            'port_rules': {
+                '22': atomic(metadata.get('openssh/restrict-to', set('*'))),
+            },
+        },
+    }