unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: unkin:develop
Branches Tags
unkin:develop
unkin:benvin/artifactapi_repos
unkin:benvin/hiera_data_hash
unkin:benvin/openbao_audit_devices
unkin:benvin/backend_dovecot
unkin:benvin/exporter_ip_loopback
unkin:benvin/k8s_control
unkin:neoloc/k8s
unkin:neoloc/ceph
unkin:neoloc/mpls_mpbgp_rr
unkin:neoloc/firewall
unkin:neoloc/includegroups
unkin:neoloc/exportarr
unkin:neoloc/authproxy
unkin:neoloc/openldap
unkin:neoloc/puppetdb_ssl
unkin:master
...
pull from: unkin:neoloc/firewall
Branches Tags
unkin:benvin/artifactapi_repos
unkin:develop
unkin:benvin/hiera_data_hash
unkin:benvin/openbao_audit_devices
unkin:benvin/backend_dovecot
unkin:benvin/exporter_ip_loopback
unkin:benvin/k8s_control
unkin:neoloc/k8s
unkin:neoloc/ceph
unkin:neoloc/mpls_mpbgp_rr
unkin:neoloc/firewall
unkin:neoloc/includegroups
unkin:neoloc/exportarr
unkin:neoloc/authproxy
unkin:neoloc/openldap
unkin:neoloc/puppetdb_ssl
unkin:master

3 Commits
develop ... neoloc/fir

Author SHA1 Message Date
Ben Vincent
90ce015d43 feat: add enable/disable flag to firewall::init 2024-11-16 11:50:35 +11:00
Ben Vincent
b9465cd78b feat: add firewall rules 
- create classes for each class of in/out traffic
- use hier_include to add firewall rules to each role
 2024-11-10 12:47:35 +11:00
Ben Vincent
ce12303576 feat: add firewall module 
- add nftables/ipset modules
- add custom firewall module
 2024-11-03 03:32:20 +11:00
37 changed files with 414 additions and 2 deletions
Show Stats Expand all files Collapse all files

3
Puppetfile
View File

@ -11,7 +11,6 @@ mod 'puppetlabs-apt', '9.4.0'
mod 'puppetlabs-lvm', '2.1.0' mod 'puppetlabs-lvm', '2.1.0'
mod 'puppetlabs-puppetdb', '7.13.0' mod 'puppetlabs-puppetdb', '7.13.0'
mod 'puppetlabs-postgresql', '9.1.0' mod 'puppetlabs-postgresql', '9.1.0'
mod 'puppetlabs-firewall', '6.0.0'
mod 'puppetlabs-accounts', '8.1.0' mod 'puppetlabs-accounts', '8.1.0'
mod 'puppetlabs-mysql', '15.0.0' mod 'puppetlabs-mysql', '15.0.0'
mod 'puppetlabs-xinetd', '3.4.1' mod 'puppetlabs-xinetd', '3.4.1'
@ -42,6 +41,8 @@ mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0' mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-rundeck', '9.1.0' mod 'puppet-rundeck', '9.1.0'
mod 'puppet-redis', '11.0.0' mod 'puppet-redis', '11.0.0'
mod 'puppet-ipset', '4.3.0'
mod 'puppet-nftables', '4.0.0'
# other # other
mod 'ghoneycutt-puppet', '3.3.0' mod 'ghoneycutt-puppet', '3.3.0'

37
hieradata/common.yaml
View File

@ -143,6 +143,15 @@ hiera_include:
- networking - networking
- ssh::server - ssh::server
- profiles::accounts::rundeck - profiles::accounts::rundeck
- firewall::rules::in::exporters
- firewall::rules::in::consul
- firewall::rules::out::consul
- firewall::rules::out::dns
- firewall::rules::out::http
- firewall::rules::out::https
- firewall::rules::out::ntp
- firewall::rules::out::puppet
- firewall::rules::out::vault
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server' profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region' profiles::ntp::client::use_ntp: 'region'
@ -341,3 +350,31 @@ profiles::ceph::client::mons:
# aliases: # aliases:
# - prodinf01n22 # - prodinf01n22
# - repos.main.unkin.net # - repos.main.unkin.net
firewall::enable: true
firewall::ipset_queries:
certbot: "enc_role=roles::infra::pki::certbot"
cobbler: "enc_role=roles::infra::cobbler::server"
consul: "enc_role=roles::infra::storage::consul"
dhcp: "enc_role=roles::infra::dhcp::server"
dns_master: "enc_role=roles::infra::dns::master"
dns_resolver: "enc_role=roles::infra::dns::resolver"
edgecache: "enc_role=roles::infra::storage::edgecache"
gitea_runner: "enc_role=roles::infra::git::runner"
gitea_server: "enc_role=roles::infra::git::gitea"
glauth: "enc_role=roles::infra::auth::glauth"
gonic: "enc_role=roles::apps::music::gonic"
grafana: "enc_role=roles::infra::metrics::grafana"
haproxy: "enc_role=roles::infra::halb::haproxy"
jumphost: "enc_role=roles::infra::proxy::jumphost"
ntp: "enc_role=roles::infra::ntp::server"
prometheus: "enc_role=roles::infra::metrics::prometheus"
puppetboard: "enc_role=roles::infra::puppetboard::server"
puppetmaster: "enc_role=roles::infra::puppet::master"
puppetdb_sql: "enc_role=roles::infra::puppetdb::sql"
puppetdb_api: "enc_role=roles::infra::puppetdb::api"
redis: "enc_role=roles::infra::db::redis"
rundeck: "enc_role=roles::infra::automation::rundeck"
sql_galera: "enc_role=roles::infra::sql::galera"
sql_patroni: "enc_role=roles::infra::sql::patroni"
vault: "enc_role=roles::infra::storage::vault"

2
hieradata/os/AlmaLinux/all_releases.yaml
View File

@ -10,6 +10,8 @@ hiera_include:
profiles::packages::include: profiles::packages::include:
lzo: {} lzo: {}
firewalld:
ensure: absent
network-scripts: {} network-scripts: {}
policycoreutils: {} policycoreutils: {}
unar: {} unar: {}

5
hieradata/roles/infra/cobbler/server.yaml
View File

@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
hiera_include: hiera_include:
- profiles::selinux::setenforce - profiles::selinux::setenforce
- firewall::rules::in::cobbler
- firewall::rules::in::http
- firewall::rules::in::https
- firewall::rules::in::tftp
- firewall::rules::in::sshd

4
hieradata/roles/infra/dhcp/server.yaml
View File

@ -1,4 +1,8 @@
--- ---
hiera_include:
- firewall::rules::in::dhcp
- firewall::rules::in::sshd
profiles::dhcp::server::ntpservers: profiles::dhcp::server::ntpservers:
- ntp01.main.unkin.net - ntp01.main.unkin.net
- ntp02.main.unkin.net - ntp02.main.unkin.net

2
hieradata/roles/infra/pki/certbot.yaml
View File

@ -2,6 +2,8 @@
hiera_include: hiera_include:
- certbot - certbot
- profiles::pki::puppetcerts - profiles::pki::puppetcerts
- firewall::rules::in::sshd
- firewall::rules::in::https
certbot::domains: certbot::domains:
- au-syd1-pve.main.unkin.net - au-syd1-pve.main.unkin.net

9
hieradata/roles/infra/puppetdb/api.yaml
View File

@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
- resource: service - resource: service
segment: puppetdbapi segment: puppetdbapi
disposition: write disposition: write
hiera_include:
- firewall::rules::in::sshd
- firewall::rules::in::puppetdbapi
firewall::rules::in::exporters::ports:
- 9100
- 9558
- 9635

9
hieradata/roles/infra/storage/consul.yaml
View File

@ -1,4 +1,13 @@
--- ---
hiera_include:
- firewall::rules::in::consul
- firewall::rules::in::dns
- firewall::rules::in::http
- firewall::rules::in::https
- firewall::rules::in::sshd
firewall::rules::in::consul::is_server: true
profiles::consul::server::members_lookup: true profiles::consul::server::members_lookup: true
profiles::consul::server::data_dir: /data/consul profiles::consul::server::data_dir: /data/consul
profiles::consul::server::addresses: profiles::consul::server::addresses:

6
hieradata/roles/infra/storage/vault.yaml
View File

@ -1,4 +1,10 @@
--- ---
hiera_include:
- firewall::rules::in::sshd
- firewall::rules::in::vault
firewall::rules::in::ssh::ipset: jumphost
profiles::vault::server::members_role: roles::infra::storage::vault profiles::vault::server::members_role: roles::infra::storage::vault
profiles::vault::server::members_lookup: true profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault profiles::vault::server::data_dir: /data/vault

29
modules/firewall/manifests/init.pp Normal file
View File

@ -0,0 +1,29 @@
# manage the firewall
class firewall (
Boolean $enable = false,
Hash $ipset_queries = {},
){
if $enable {
$ipset_queries.each |$ipset, $query| {
$ips = sort(query_nodes($query, 'networking.ip'))
nftables::set{$ipset:
type => 'ipv4_addr',
flags => ['dynamic'],
elements => $ips,
}
}
class {'nftables':
in_ssh => false,
in_icmp => true,
out_ntp => false,
out_dns => false,
out_http => false,
out_https => false,
out_icmp => true,
out_all => false,
}
}
}

13
modules/firewall/manifests/rules/in/cobbler.pp Normal file
View File

@ -0,0 +1,13 @@
class firewall::rules::in::cobbler (
Array[Stdlib::Port] $ports = [25150,25151],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-cobbler_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}

39
modules/firewall/manifests/rules/in/consul.pp Normal file
View File

@ -0,0 +1,39 @@
class firewall::rules::in::consul (
Boolean $is_server = false,
) {
# serf traffic (lan and wan)
nftables::rule { 'default_in-consul_udp_8301':
content => 'udp dport 8301 accept',
}
nftables::rule { 'default_in-consul_tcp_8301':
content => 'tcp dport 8301 accept',
}
nftables::rule { 'default_in-consul_udp_8302':
content => 'udp dport 8302 accept',
}
nftables::rule { 'default_in-consul_tcp_8302':
content => 'tcp dport 8302 accept',
}
if $is_server {
# dns interface
nftables::rule { 'default_in-consul_udp_8600':
content => 'udp dport 8600 accept',
}
nftables::rule { 'default_in-consul_tcp_8600':
content => 'tcp dport 8600 accept',
}
# communication with servers
nftables::rule { 'default_in-consul_tcp_8300':
content => 'tcp dport 8300 accept',
}
nftables::rule { 'default_in-consul_tcp_8500':
content => 'tcp dport 8500 accept',
}
nftables::rule { 'default_in-consul_tcp_8503':
content => 'tcp dport 8503 accept',
}
}
}

5
modules/firewall/manifests/rules/in/dhcp.pp Normal file
View File

@ -0,0 +1,5 @@
class firewall::rules::in::dhcp {
nftables::rule { 'default_in-dhcp':
content => 'udp sport {67, 68} udp dport {67, 68} accept';
}
}

19
modules/firewall/manifests/rules/in/dns.pp Normal file
View File

@ -0,0 +1,19 @@
class firewall::rules::in::dns (
Array[Stdlib::Port] $ports = [53],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
$protocols.each |$proto| {
if $ipset != '' {
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "${proto} dport ${port} accept"
}
nftables::rule { "default_in-dns_${proto}_${port}":
content => $rule,
}
}
}
}

13
modules/firewall/manifests/rules/in/exporters.pp Normal file
View File

@ -0,0 +1,13 @@
# 9100: node_exporter
# 9558: sysstemd_exporter
class firewall::rules::in::exporters (
Array[Stdlib::Port] $ports = [9100,9558],
String $ipset = 'prometheus',
) {
$ports.each |$port| {
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
content => "tcp dport ${port} ip saddr @${ipset} accept",
}
}
}

10
modules/firewall/manifests/rules/in/http.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::in::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_in-http_${port}":
content => "tcp dport ${port} accept",
}
}
}

10
modules/firewall/manifests/rules/in/https.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::in::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_in-https_${port}":
content => "tcp dport ${port} accept",
}
}
}

10
modules/firewall/manifests/rules/in/mysql.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::in::mysql (
Array[Stdlib::Port] $ports = [3306],
) {
$ports.each |$port| {
nftables::rule { "default_in-mysql_${port}":
content => "tcp dport ${port} accept",
}
}
}

10
modules/firewall/manifests/rules/in/ntp.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::in::ntp (
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_in-ntp_${port}":
content => "udp dport ${port} accept",
}
}
}

10
modules/firewall/manifests/rules/in/postgres.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::in::postgres (
Array[Stdlib::Port] $ports = [5432],
) {
$ports.each |$port| {
nftables::rule { "default_in-postgres_${port}":
content => "tcp dport ${port} accept",
}
}
}

10
modules/firewall/manifests/rules/in/puppetdbapi.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::in::puppetdbapi (
Array[Stdlib::Port] $ports = [8080,8081],
) {
$ports.each |$port| {
nftables::rule { "default_in-puppetdbapi_${port}":
content => "tcp dport ${port} accept",
}
}
}

16
modules/firewall/manifests/rules/in/sshd.pp Normal file
View File

@ -0,0 +1,16 @@
class firewall::rules::in::sshd (
Array[Stdlib::Port] $ports = [22],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
if $ipset != '' {
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "tcp dport ${port} accept"
}
nftables::rule { "default_in-sshd_tcp_${port}":
content => $rule,
}
}
}

13
modules/firewall/manifests/rules/in/tftp.pp Normal file
View File

@ -0,0 +1,13 @@
class firewall::rules::in::tftp (
Array[Stdlib::Port] $ports = [69],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-tftp_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}

10
modules/firewall/manifests/rules/in/vault.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::in::vault (
Array[Stdlib::Port] $ports = [8200, 8201],
) {
$ports.each |$port| {
nftables::rule { "default_in-vaultserver_${port}":
content => "tcp dport ${port} accept",
}
}
}

8
modules/firewall/manifests/rules/out/ceph_client.pp Normal file
View File

@ -0,0 +1,8 @@
class firewall::rules::out::ceph_client (
Array[Stdlib::Port,1] $ports = [3300, 6789],
) {
nftables::rule {
'default_out-ceph_client':
content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
}
}

29
modules/firewall/manifests/rules/out/consul.pp Normal file
View File

@ -0,0 +1,29 @@
class firewall::rules::out::consul (
String $ipset = 'consul',
) {
# serf traffic (lan and wan)
nftables::rule { 'default_out-consul_udp_8301':
content => 'udp dport 8301 accept',
}
nftables::rule { 'default_out-consul_tcp_8301':
content => 'tcp dport 8301 accept',
}
nftables::rule { 'default_out-consul_udp_8302':
content => 'udp dport 8302 accept',
}
nftables::rule { 'default_out-consul_tcp_8302':
content => 'tcp dport 8302 accept',
}
# communication with servers
nftables::rule { 'default_out-consul_tcp_8300':
content => "tcp dport 8300 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8500':
content => "tcp dport 8500 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8503':
content => "tcp dport 8503 ip daddr @${ipset} accept",
}
}

5
modules/firewall/manifests/rules/out/dhcp.pp Normal file
View File

@ -0,0 +1,5 @@
class firewall::rules::out::dhcp {
nftables::rule { 'default_out-dhcpc':
content => 'udp sport {67, 68} udp dport {67, 68} accept';
}
}

11
modules/firewall/manifests/rules/out/dns.pp Normal file
View File

@ -0,0 +1,11 @@
class firewall::rules::out::dns (
String $ipset = 'dns_resolver',
) {
nftables::rule { 'default_out-dns_udp_53':
content => "udp dport 53 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-dns_tcp_53':
content => "tcp dport 53 ip daddr @${ipset} accept",
}
}

10
modules/firewall/manifests/rules/out/http.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::out::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_out-http_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}

10
modules/firewall/manifests/rules/out/https.pp Normal file
View File

@ -0,0 +1,10 @@
class firewall::rules::out::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_out-https_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}

7
modules/firewall/manifests/rules/out/mysql.pp Normal file
View File

@ -0,0 +1,7 @@
class firewall::rules::out::mysql (
String $ipset = 'sql_galera',
){
nftables::rule { 'default_out-mysql_tcp_3306':
content => "tcp dport 3306 ip daddr @${ipset} accept",
}
}

11
modules/firewall/manifests/rules/out/ntp.pp Normal file
View File

@ -0,0 +1,11 @@
class firewall::rules::out::ntp (
String $ipset = 'ntp',
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_out-ntp_udp_${port}":
content => "udp dport ${port} ip daddr @${ipset} accept",
}
}
}

7
modules/firewall/manifests/rules/out/postgres.pp Normal file
View File

@ -0,0 +1,7 @@
class firewall::rules::out::postgres (
String $ipset = 'sql_galera',
){
nftables::rule { 'default_out-postgres_tcp_5432':
content => "tcp dport 5432 ip daddr @${ipset} accept",
}
}

11
modules/firewall/manifests/rules/out/puppet.pp Normal file
View File

@ -0,0 +1,11 @@
class firewall::rules::out::puppet (
String $ipset = 'puppetmaster',
Array[Stdlib::Port] $ports = [8140],
) {
$ports.each |$port| {
nftables::rule { "default_out-puppet_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}

11
modules/firewall/manifests/rules/out/vault.pp Normal file
View File

@ -0,0 +1,11 @@
class firewall::rules::out::vault (
String $ipset = 'vault',
Array[Stdlib::Port] $ports = [8200],
) {
$ports.each |$port| {
nftables::rule { "default_out-vault_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}

1
site/profiles/manifests/base.pp
View File

@ -38,6 +38,7 @@ class profiles::base (
include profiles::metrics::default include profiles::metrics::default
include profiles::helpers::node_lookup include profiles::helpers::node_lookup
include profiles::consul::client include profiles::consul::client
include firewall
# include the python class # include the python class
class { 'python': class { 'python':

1
site/profiles/manifests/base/repos.pp
View File

@ -4,7 +4,6 @@ class profiles::base::repos {
case $facts['os']['family'] { case $facts['os']['family'] {
'RedHat': { 'RedHat': {
include profiles::yum::global include profiles::yum::global
include profiles::firewall::firewalld
} }
'Debian': { 'Debian': {
include profiles::apt::global include profiles::apt::global