proxmox: set up firewall

Firewall policy is set in NetBox as cluster services¹. For Proxmox we
have to manually allow communication between nodes when using L3,
since the default management ipset does not get populated correctly.
We also need to open VTEP communication between nodes, which the
default rules don’t. We allow all inter-node traffic, as SSH without
passwords must be permitted anyway.

This also adds some helper filters that are spectacularly annoying to
implement purely in templates.

¹ There is actually no such thing as as a cluster service (yet?), so
instead we create a fake VM for the cluster, define services for it,
and then add the same services to a custom field on the cluster.
Alternative would be to tie services to a specific node, but that
could be problematic if that node is replaced.

roles/proxmox/templates/cluster.fw.j2

@@ -0,0 +1,23 @@
+[OPTIONS]
+
+enable: 1
+
+[RULES]
+
+IN Ping(ACCEPT) -log nolog # don’t be rude
+IN SSH(ACCEPT) -i mgmt # for ansible etc.
+IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 4) | map(attribute='address') | join(',') }} # my cluster
+IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 6) | map(attribute='address') | join(',') }} # my cluster
+{% for service in services %}
+{% set prefixes = service | allowed_prefixes %}
+{% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
+{% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
+{% set ports = service.ports | compact_numlist(range_delimiter=':') %}
+{% if prefixes4 %}
+IN ACCEPT -source {{ prefixes4 | join(',') }} -p {{ service.protocol }} -dport {{ ports }} # {{ service.name }}
+{% endif %}
+{% if prefixes6 %}
+IN ACCEPT -source {{ prefixes6 | join(',') }} -p {{ service.protocol }} -dport {{ ports }} # {{ service.name }}
+{% endif %}
+{% endfor %}
+