feat: add firewall rules
- create classes for each class of in/out traffic - use hier_include to add firewall rules to each role
This commit is contained in:
@@ -144,6 +144,7 @@ hiera_include:
|
||||
- ssh::server
|
||||
- profiles::accounts::rundeck
|
||||
- firewall::rules::in::exporters
|
||||
- firewall::rules::in::consul
|
||||
- firewall::rules::out::consul
|
||||
- firewall::rules::out::dns
|
||||
- firewall::rules::out::http
|
||||
|
||||
@@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
|
||||
|
||||
hiera_include:
|
||||
- profiles::selinux::setenforce
|
||||
- firewall::rules::in::cobbler
|
||||
- firewall::rules::in::http
|
||||
- firewall::rules::in::https
|
||||
- firewall::rules::in::tftp
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
@@ -1,4 +1,8 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::dhcp
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
profiles::dhcp::server::ntpservers:
|
||||
- ntp01.main.unkin.net
|
||||
- ntp02.main.unkin.net
|
||||
|
||||
@@ -2,6 +2,8 @@
|
||||
hiera_include:
|
||||
- certbot
|
||||
- profiles::pki::puppetcerts
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::https
|
||||
|
||||
certbot::domains:
|
||||
- au-syd1-pve.main.unkin.net
|
||||
|
||||
@@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
|
||||
- resource: service
|
||||
segment: puppetdbapi
|
||||
disposition: write
|
||||
|
||||
hiera_include:
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::puppetdbapi
|
||||
|
||||
firewall::rules::in::exporters::ports:
|
||||
- 9100
|
||||
- 9558
|
||||
- 9635
|
||||
|
||||
@@ -1,4 +1,13 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::consul
|
||||
- firewall::rules::in::dns
|
||||
- firewall::rules::in::http
|
||||
- firewall::rules::in::https
|
||||
- firewall::rules::in::sshd
|
||||
|
||||
firewall::rules::in::consul::is_server: true
|
||||
|
||||
profiles::consul::server::members_lookup: true
|
||||
profiles::consul::server::data_dir: /data/consul
|
||||
profiles::consul::server::addresses:
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
hiera_include:
|
||||
- firewall::rules::in::ssh
|
||||
- firewall::rules::in::sshd
|
||||
- firewall::rules::in::vault
|
||||
|
||||
firewall::rules::in::ssh::ipset: jumphost
|
||||
|
||||
Reference in New Issue
Block a user