# NetworkPolicies predefinition
# rules can be added to groups. Groups or rules can be applied to projects.
#
networkPolicy:
  config:
    # Generate NetworkPolicy to allow communication inside of the project namespace?
    # Only gets applied when other networkpolices are active on the project
    allowNamespace: true

    default:
      groups: []
      rules: []

  groups:
    internet:
      - allow-dns
      - allow-proxy
      - allow-ingress
      - allow-ingress-traffic

  rules:
  # Allow DNS to all Namespaces, deny everything else
    allow-dns:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - ports:
        - port: 53
          protocol: UDP
        to:
        - namespaceSelector: {}

    # Allow access to internet proxy
    allow-proxy:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - ports:
        - port: 3128
          protocol: TCP
        to:
        - namespaceSelector:
            matchLabels:
              app.heqet.gnu.one/name: proxy

    # Allow access from ingress-external
    allow-ingress:
      podSelector: {}
      policyTypes:
      - Ingress
      ingress:
      - from:
        - namespaceSelector:
            matchLabels:
              project.heqet.gnu.one/name: ingress-external

    # Allow SSH for Gitea
    allow-ssh:
      podSelector: {}
      policyTypes:
      - Ingress
      ingress:
      - from:
        - ipBlock:
            cidr: 192.168.1.0/24
        - namespaceSelector:
            matchLabels:
              app.heqet.gnu.one/name: wiki
        ports:
        - port: 2222
          protocol: TCP

    # Allow direct access to gitea
    allow-gitea:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - to:
        - namespaceSelector:
            matchLabels:
              app.heqet.gnu.one/name: gitea
        ports:
        - port: 2222
          protocol: TCP

    # Allow Woodpacker-Agent to access Woodpacker Server
    allow-agent:
      podSelector: {}
      policyTypes:
      - Ingress
      ingress:
      - from:
        - namespaceSelector:
            matchLabels:
              app.heqet.gnu.one/name: woodpacker-agent

    allow-minio:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - ports:
        - port: 9000
          protocol: TCP
        to:
        - namespaceSelector:
            matchLabels:
              app.heqet.gnu.one/name: minio

    allow-ingress-traffic:
      podSelector: {}
      policyTypes:
      - Ingress
      ingress:
      - {}

    allow-external-services:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - to:
        - namespaceSelector:
            matchLabels:
              environment: external

    allow-argocd:
      podSelector: {}
      policyTypes:
      - Egress
      egress:
      - ports:
        - port: 80
          protocol: TCP
        - port: 8080
          protocol: TCP
        to:
        - namespaceSelector:
            matchLabels:
              app.heqet.gnu.one/project: argocd