feat: add firewall rules

- create classes for each class of in/out traffic
- use hier_include to add firewall rules to each role
This commit is contained in:
2024-11-10 12:47:35 +11:00
parent ce12303576
commit b9465cd78b
18 changed files with 133 additions and 15 deletions
+1
View File
@@ -144,6 +144,7 @@ hiera_include:
- ssh::server
- profiles::accounts::rundeck
- firewall::rules::in::exporters
- firewall::rules::in::consul
- firewall::rules::out::consul
- firewall::rules::out::dns
- firewall::rules::out::http
@@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
hiera_include:
- profiles::selinux::setenforce
- firewall::rules::in::cobbler
- firewall::rules::in::http
- firewall::rules::in::https
- firewall::rules::in::tftp
- firewall::rules::in::sshd
+4
View File
@@ -1,4 +1,8 @@
---
hiera_include:
- firewall::rules::in::dhcp
- firewall::rules::in::sshd
profiles::dhcp::server::ntpservers:
- ntp01.main.unkin.net
- ntp02.main.unkin.net
+2
View File
@@ -2,6 +2,8 @@
hiera_include:
- certbot
- profiles::pki::puppetcerts
- firewall::rules::in::sshd
- firewall::rules::in::https
certbot::domains:
- au-syd1-pve.main.unkin.net
+9
View File
@@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
- resource: service
segment: puppetdbapi
disposition: write
hiera_include:
- firewall::rules::in::sshd
- firewall::rules::in::puppetdbapi
firewall::rules::in::exporters::ports:
- 9100
- 9558
- 9635
@@ -1,4 +1,13 @@
---
hiera_include:
- firewall::rules::in::consul
- firewall::rules::in::dns
- firewall::rules::in::http
- firewall::rules::in::https
- firewall::rules::in::sshd
firewall::rules::in::consul::is_server: true
profiles::consul::server::members_lookup: true
profiles::consul::server::data_dir: /data/consul
profiles::consul::server::addresses:
+1 -1
View File
@@ -1,6 +1,6 @@
---
hiera_include:
- firewall::rules::in::ssh
- firewall::rules::in::sshd
- firewall::rules::in::vault
firewall::rules::in::ssh::ipset: jumphost