From 8365598f52df87c95f2fb6e3f063120d72c1e6c1 Mon Sep 17 00:00:00 2001
From: Christian Boltz <cboltz@opensuse.org>
Date: May 30 2025 18:05:25 +0000
Subject: Merge branch 'crameleon/kani' into 'production'


Prepare kani-dev and kani-ext networks

See merge request https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/2471.
---

diff --git a/pillar/cluster/falkor/network.sls b/pillar/cluster/falkor/network.sls
index 0f4c303..cd4b3f5 100644
--- a/pillar/cluster/falkor/network.sls
+++ b/pillar/cluster/falkor/network.sls
@@ -39,6 +39,8 @@ network:
           'os-kani': 1210,
           'os-netbox': 1211,
           'os-log': 1215,
+          'os-kani-dev': 1216,
+          'os-kani-ext': 1217,
         }
     %}
     {%- for vlan_name, vlan_id in vlanmap.items() %}
diff --git a/pillar/infra/networks.yaml b/pillar/infra/networks.yaml
index f098ba1..7eaf773 100644
--- a/pillar/infra/networks.yaml
+++ b/pillar/infra/networks.yaml
@@ -89,6 +89,16 @@ prg2:
     net6: 2a07:de40:b27e:1215::/64
     gw6: 2a07:de40:b27e:1215::3
     id: 1215
+  openSUSE-kani-dev:
+    short: os-kani-dev
+    net6: 2a07:de40:b27e:1216::/64
+    gw6: 2a07:de40:b27e:1216::3
+    id: 1216
+  openSUSE-kani-ext:
+    short: os-kani-ext
+    net6: 2a07:de40:b27e:1217::/64
+    gw6: 2a07:de40:b27e:1217::3
+    id: 1217
 
 slc1:
   openSUSE-bare:
diff --git a/salt/files/nftables/asgard/01_variables.nft b/salt/files/nftables/asgard/01_variables.nft
index 72315b6..14f03cb 100644
--- a/salt/files/nftables/asgard/01_variables.nft
+++ b/salt/files/nftables/asgard/01_variables.nft
@@ -56,6 +56,12 @@ define net6_os-netbox   = 2a07:de40:b27e:1211::/64
 # VLAN 1215 openSUSE-log
 define net6_os-log      = 2a07:de40:b27e:1215::/64
 
+# VLAN 1216 openSUSE-kani-dev
+define net6_os-kani-dev = 2a07:de40:b27e:1216::/64
+
+# VLAN 1217 openSUSE-kani-ext
+define net6_os-kani-ext = 2a07:de40:b27e:1217::/64
+
 define net6_vpn-udp     = 2a07:de40:b27e:5001::/64
 define net6_vpn-tcp     = 2a07:de40:b27e:5002::/64
 
diff --git a/salt/files/nftables/asgard/zones/1216_os-kani-dev.nft b/salt/files/nftables/asgard/zones/1216_os-kani-dev.nft
new file mode 100644
index 0000000..b838d24
--- /dev/null
+++ b/salt/files/nftables/asgard/zones/1216_os-kani-dev.nft
@@ -0,0 +1,17 @@
+###################################################
+## MANAGED BY SALT in salt/files/nftables/asgard ##
+###################################################
+
+ chain input_network_os-kani-dev {
+  jump global_internal
+
+  ip6 saddr $net6_os-kani-dev ip6 daddr @self6_kani-dev ip6 nexthdr icmpv6 accept
+
+  # Kanidm needs to query itself through reverse proxy
+  ip6 saddr $net6_os-kani-dev ip6 daddr @host6_hel tcp dport https accept
+
+  log prefix "[Kani Dev Denied] " reject with icmpv6 type admin-prohibited
+ }
+
+ chain output_network_os-kani-dev {
+ }
diff --git a/salt/files/nftables/asgard/zones/1217_os-kani-ext.nft b/salt/files/nftables/asgard/zones/1217_os-kani-ext.nft
new file mode 100644
index 0000000..e23a116
--- /dev/null
+++ b/salt/files/nftables/asgard/zones/1217_os-kani-ext.nft
@@ -0,0 +1,17 @@
+###################################################
+## MANAGED BY SALT in salt/files/nftables/asgard ##
+###################################################
+
+ chain input_network_os-kani-ext {
+  jump global_internal
+
+  ip6 saddr $net6_os-kani-ext ip6 daddr @self6_kani-ext ip6 nexthdr icmpv6 accept
+
+  # Kanidm needs to query itself through reverse proxy
+  ip6 saddr $net6_os-kani-ext ip6 daddr @host6_hel tcp dport https accept
+
+  log prefix "[Kani Ext Denied] " reject with icmpv6 type admin-prohibited
+ }
+
+ chain output_network_os-kani-ext {
+ }