pellepelster
commented
9 months ago You are right, especially in the context of a Hetzner a managed Hetzner firewall would be the better idea, especially since the UFW will not cover accidental port exposure from docker containers. The next release will contain a "real" private option where the port is only bound to the local interface. I would like to keep the firewall option because it adds another layer of security bit it should be no issue to make it optional.
christoph-buente
https://github.com/pellepelster/solidblocks/blob/5444af56915a988fe0d5c4f55c89323f2533ac62/solidblocks-hetzner/modules/rds-postgresql/user_data.sh#L201
Hey @pellepelster,
I was fiddling with the option to move SSH to a different port and always got locked out of the server. Turns out, the user-data script configures a local firewall. This goes a bit against the principles of the cloud-native approach, which delegates these concerns to the cloud provider. In fact, in Terraform, I define a firewall and have it automatically applied, based on the labels of the servers. Now, is there a way to make the firewall optional? Cause I think this should not be a concern of the database host.
This may be different if we run your modules on-premise. But my understanding is, that the modules are aimed primarily at the Hetzner cloud.
I know I can use
ufw disablein thepost_scriptoption. Just wondering if this needs to be there at all.Appreciate your work. Interested to hear your thoughts.