mailbackup-relay.s2i2s.cloud.isti.cnr.it: Rule to allow traffic on port 80.

2026-06-16 12:40:44 +02:00 · 2026-06-16 12:40:44 +02:00 · 39c0596be6
parent 9bcd928d96
commit 39c0596be6
2 changed files with 14 additions and 1 deletions
--- a/s2i2s/mailbackup-relay/main.tf
+++ b/s2i2s/mailbackup-relay/main.tf
@ -85,6 +85,19 @@ resource "openstack_networking_secgroup_rule_v2" "bareos_fd_ingress" {
  remote_ip_prefix  = local.bareos_director_cidr
 }

+# Let's Encrypt http-01 ACME validation reaches the host on port 80 from a
+# wide, changing set of source IPs, so it must be open to the world.
+resource "openstack_networking_secgroup_rule_v2" "http_letsencrypt_ingress" {
+  security_group_id = openstack_networking_secgroup_v2.relay_access.id
+  description       = "HTTP for Let's Encrypt http-01 ACME validation"
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
+}
+
 # --- Network port (main private network) ---
 resource "openstack_networking_port_v2" "relay_port" {
  name           = "mailbackup-relay-port"
--- a/s2i2s/mailbackup-relay/terraform.tfstate
+++ b/s2i2s/mailbackup-relay/terraform.tfstate