feat: add firewall module

- add nftables/ipset modules
- add custom firewall module
This commit is contained in:
2024-11-03 02:24:06 +11:00
parent 09a448ea52
commit ce12303576
24 changed files with 292 additions and 2 deletions
+35
View File
@@ -143,6 +143,14 @@ hiera_include:
- networking
- ssh::server
- profiles::accounts::rundeck
- firewall::rules::in::exporters
- firewall::rules::out::consul
- firewall::rules::out::dns
- firewall::rules::out::http
- firewall::rules::out::https
- firewall::rules::out::ntp
- firewall::rules::out::puppet
- firewall::rules::out::vault
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -341,3 +349,30 @@ profiles::ceph::client::mons:
# aliases:
# - prodinf01n22
# - repos.main.unkin.net
firewall::ipset_queries:
certbot: "enc_role=roles::infra::pki::certbot"
cobbler: "enc_role=roles::infra::cobbler::server"
consul: "enc_role=roles::infra::storage::consul"
dhcp: "enc_role=roles::infra::dhcp::server"
dns_master: "enc_role=roles::infra::dns::master"
dns_resolver: "enc_role=roles::infra::dns::resolver"
edgecache: "enc_role=roles::infra::storage::edgecache"
gitea_runner: "enc_role=roles::infra::git::runner"
gitea_server: "enc_role=roles::infra::git::gitea"
glauth: "enc_role=roles::infra::auth::glauth"
gonic: "enc_role=roles::apps::music::gonic"
grafana: "enc_role=roles::infra::metrics::grafana"
haproxy: "enc_role=roles::infra::halb::haproxy"
jumphost: "enc_role=roles::infra::proxy::jumphost"
ntp: "enc_role=roles::infra::ntp::server"
prometheus: "enc_role=roles::infra::metrics::prometheus"
puppetboard: "enc_role=roles::infra::puppetboard::server"
puppetmaster: "enc_role=roles::infra::puppet::master"
puppetdb_sql: "enc_role=roles::infra::puppetdb::sql"
puppetdb_api: "enc_role=roles::infra::puppetdb::api"
redis: "enc_role=roles::infra::db::redis"
rundeck: "enc_role=roles::infra::automation::rundeck"
sql_galera: "enc_role=roles::infra::sql::galera"
sql_patroni: "enc_role=roles::infra::sql::patroni"
vault: "enc_role=roles::infra::storage::vault"
+2
View File
@@ -10,6 +10,8 @@ hiera_include:
profiles::packages::include:
lzo: {}
firewalld:
ensure: absent
network-scripts: {}
policycoreutils: {}
unar: {}
+6
View File
@@ -1,4 +1,10 @@
---
hiera_include:
- firewall::rules::in::ssh
- firewall::rules::in::vault
firewall::rules::in::ssh::ipset: jumphost
profiles::vault::server::members_role: roles::infra::storage::vault
profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault