Allow Caddy to reach Icinga Web

[Svaag]

Summary

• allow proxy/Caddy to reach mon's Icinga Web nginx listener on TCP/80
• document the mon inbound flow
• update generated nftables artifact

Validation

• Applied firewall role to mon with firewall_apply=true
• Verified https://mon.servify.network/icingaweb2 reaches the Icinga Web login page
• Verified proxy can connect directly to http://[2a0c:b641:b50:2::50]/icingaweb2

Note

The deploy snapshot helper degraded because /etc/icinga2/scripts/.icinga-snapshot.env is missing on mon.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🏅 Score: 92

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Missing prefix length The new rule at line 39 allows traffic from 2a0c:b641:b50:2::40 without a prefix length, which is a syntax error in nftables. The rule will fail to load, blocking the intended Icinga Web traffic. The adjacent Grafana rule at line 40 uses /128; this rule should also specify /128 to match the single proxy host. ip6 saddr 2a0c:b641:b50:2::40 tcp dport 80 counter accept comment "Icinga Web from proxy"

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.