Firewall and networking

Copy Markdown View Source

HostKit can model host firewall policy, workspace egress policy, service listeners, and systemd network restrictions.

use HostKit.DSL

project :prod do
  firewall do
    allow tcp: 22, from: :any
    allow tcp: [80, 443], from: :any
    allow tcp: 9100, from: {10, 44, 0, 0, 24}
    deny :all
  end

  service :api do
    daemon do
      exec ["/opt/api/bin/server"]

      listen :http, port: 4000

      isolate do
        network :loopback
      end
    end
  end
end

Firewall policy renders to nftables. network_policy compiles into systemd service options such as IPAddressDeny=, IPAddressAllow=, and RestrictAddressFamilies=.

Host-scoped firewall

Firewall policy can also live inside a host declaration:

host :prod, at: "app.example.com" do
  firewall do
    allow tcp: 22, from: :any
    allow tcp: [80, 443], from: :any
    deny :all
  end
end

Named listeners

Named listeners keep provider integrations decoupled from port literals:

use HostKit.DSL, providers: [HostKit.Providers.Caddy]

project :prod do
  service :api do
    daemon do
      exec ["/opt/api/bin/server"]
      listen :http, port: 4000
    end

    caddy_site "api.example.com" do
      reverse_proxy :http
    end
  end
end

Workspace egress

Workspace services can express outbound policy separately from host ingress:

workspace :blog, owner: :alice do
  service :preview do
    egress deny: :private, allow: [tcp: 443]
  end
end

This gives HostKit enough information to render firewall/network policy and to audit what each service or workspace is expected to reach.