12 Commits

Author SHA1 Message Date
unkinben 90ce015d43 feat: add enable/disable flag to firewall::init 2024-11-16 11:50:35 +11:00
unkinben b9465cd78b feat: add firewall rules
- create classes for each class of in/out traffic
- use hier_include to add firewall rules to each role
2024-11-10 12:47:35 +11:00
unkinben ce12303576 feat: add firewall module
- add nftables/ipset modules
- add custom firewall module
2024-11-03 03:32:20 +11:00
unkinben 09a448ea52 Merge pull request 'feat: add vault admin group' (#166) from neoloc/vault_global_admin into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/166
2024-10-21 19:41:31 +11:00
unkinben 1db8847833 feat: add vault admin group
- group will be assigned global admin rights
2024-10-21 19:40:52 +11:00
unkinben 6d919580e1 Merge pull request 'neoloc/adduser' (#165) from neoloc/adduser into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/165
2024-10-20 13:14:50 +11:00
unkinben 5549275ecc chore: add new user
- add margol as standard media user
2024-10-20 13:12:36 +11:00
unkinben 7acfea8547 fix: correct given/sn fields
- fix ryadun's given/sn fields
2024-10-20 13:12:02 +11:00
unkinben 318e816568 Merge pull request 'feat: update certbot module' (#164) from neoloc/restart_nginx into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/164
2024-10-07 13:42:57 +11:00
unkinben 2ef4fb0bf8 feat: update certbot module
- update documentation
- add option to notify services
- set haproxy role to notify the haproxy service
2024-10-07 13:40:53 +11:00
unkinben 2013641720 Merge pull request 'feat: restart nginx on ssl change' (#163) from neoloc/restart_nginx into develop
Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/163
2024-09-27 21:51:15 +10:00
unkinben 4bf4b42fdf feat: restart nginx on ssl change
- manage nginx service from simpleproxy class
- ensure nginx restarts when ssl certificates are changed
2024-09-27 21:46:46 +10:00
42 changed files with 472 additions and 8 deletions
+2 -1
View File
@@ -11,7 +11,6 @@ mod 'puppetlabs-apt', '9.4.0'
mod 'puppetlabs-lvm', '2.1.0'
mod 'puppetlabs-puppetdb', '7.13.0'
mod 'puppetlabs-postgresql', '9.1.0'
mod 'puppetlabs-firewall', '6.0.0'
mod 'puppetlabs-accounts', '8.1.0'
mod 'puppetlabs-mysql', '15.0.0'
mod 'puppetlabs-xinetd', '3.4.1'
@@ -42,6 +41,8 @@ mod 'puppet-filemapper', '4.0.0'
mod 'puppet-letsencrypt', '11.0.0'
mod 'puppet-rundeck', '9.1.0'
mod 'puppet-redis', '11.0.0'
mod 'puppet-ipset', '4.3.0'
mod 'puppet-nftables', '4.0.0'
# other
mod 'ghoneycutt-puppet', '3.3.0'
+37
View File
@@ -143,6 +143,15 @@ hiera_include:
- networking
- ssh::server
- profiles::accounts::rundeck
- firewall::rules::in::exporters
- firewall::rules::in::consul
- firewall::rules::out::consul
- firewall::rules::out::dns
- firewall::rules::out::http
- firewall::rules::out::https
- firewall::rules::out::ntp
- firewall::rules::out::puppet
- firewall::rules::out::vault
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
profiles::ntp::client::use_ntp: 'region'
@@ -341,3 +350,31 @@ profiles::ceph::client::mons:
# aliases:
# - prodinf01n22
# - repos.main.unkin.net
firewall::enable: true
firewall::ipset_queries:
certbot: "enc_role=roles::infra::pki::certbot"
cobbler: "enc_role=roles::infra::cobbler::server"
consul: "enc_role=roles::infra::storage::consul"
dhcp: "enc_role=roles::infra::dhcp::server"
dns_master: "enc_role=roles::infra::dns::master"
dns_resolver: "enc_role=roles::infra::dns::resolver"
edgecache: "enc_role=roles::infra::storage::edgecache"
gitea_runner: "enc_role=roles::infra::git::runner"
gitea_server: "enc_role=roles::infra::git::gitea"
glauth: "enc_role=roles::infra::auth::glauth"
gonic: "enc_role=roles::apps::music::gonic"
grafana: "enc_role=roles::infra::metrics::grafana"
haproxy: "enc_role=roles::infra::halb::haproxy"
jumphost: "enc_role=roles::infra::proxy::jumphost"
ntp: "enc_role=roles::infra::ntp::server"
prometheus: "enc_role=roles::infra::metrics::prometheus"
puppetboard: "enc_role=roles::infra::puppetboard::server"
puppetmaster: "enc_role=roles::infra::puppet::master"
puppetdb_sql: "enc_role=roles::infra::puppetdb::sql"
puppetdb_api: "enc_role=roles::infra::puppetdb::api"
redis: "enc_role=roles::infra::db::redis"
rundeck: "enc_role=roles::infra::automation::rundeck"
sql_galera: "enc_role=roles::infra::sql::galera"
sql_patroni: "enc_role=roles::infra::sql::patroni"
vault: "enc_role=roles::infra::storage::vault"
@@ -260,6 +260,7 @@ profiles::haproxy::dns::cnames:
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::service: haproxy
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
+2
View File
@@ -10,6 +10,8 @@ hiera_include:
profiles::packages::include:
lzo: {}
firewalld:
ensure: absent
network-scripts: {}
policycoreutils: {}
unar: {}
+23 -2
View File
@@ -62,6 +62,7 @@ glauth::users:
- 20017
- 20018
- 20023
- 20024
loginshell: '/bin/bash'
homedir: '/home/benvin'
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -138,8 +139,8 @@ glauth::users:
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
ryadun:
user_name: 'ryadun'
givenname: 'Dunbar'
sn: 'Ryan'
givenname: 'Ryan'
sn: 'Dunbar'
mail: 'ryadun@users.main.unkin.net'
uidnumber: 20005
primarygroup: 20000
@@ -153,6 +154,23 @@ glauth::users:
loginshell: '/bin/bash'
homedir: '/home/ryadun'
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
margol:
user_name: 'margol'
givenname: 'Maree'
sn: 'Goldsworthy'
mail: 'margol@users.main.unkin.net'
uidnumber: 20006
primarygroup: 20000
othergroups:
- 20010 # jelly
- 20011 # sonarr
- 20012 # radarr
- 20013 # lidarr
- 20014 # readarr
- 20016 # nzbget
loginshell: '/bin/bash'
homedir: '/home/margol'
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
glauth::services:
svc_jellyfin:
@@ -273,3 +291,6 @@ glauth::groups:
vault_access:
group_name: 'vault_access'
gidnumber: 20023
vault_admin:
group_name: 'vault_admin'
gidnumber: 20024
@@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
hiera_include:
- profiles::selinux::setenforce
- firewall::rules::in::cobbler
- firewall::rules::in::http
- firewall::rules::in::https
- firewall::rules::in::tftp
- firewall::rules::in::sshd
+4
View File
@@ -1,4 +1,8 @@
---
hiera_include:
- firewall::rules::in::dhcp
- firewall::rules::in::sshd
profiles::dhcp::server::ntpservers:
- ntp01.main.unkin.net
- ntp02.main.unkin.net
+2
View File
@@ -2,6 +2,8 @@
hiera_include:
- certbot
- profiles::pki::puppetcerts
- firewall::rules::in::sshd
- firewall::rules::in::https
certbot::domains:
- au-syd1-pve.main.unkin.net
+9
View File
@@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
- resource: service
segment: puppetdbapi
disposition: write
hiera_include:
- firewall::rules::in::sshd
- firewall::rules::in::puppetdbapi
firewall::rules::in::exporters::ports:
- 9100
- 9558
- 9635
@@ -1,4 +1,13 @@
---
hiera_include:
- firewall::rules::in::consul
- firewall::rules::in::dns
- firewall::rules::in::http
- firewall::rules::in::https
- firewall::rules::in::sshd
firewall::rules::in::consul::is_server: true
profiles::consul::server::members_lookup: true
profiles::consul::server::data_dir: /data/consul
profiles::consul::server::addresses:
+6
View File
@@ -1,4 +1,10 @@
---
hiera_include:
- firewall::rules::in::sshd
- firewall::rules::in::vault
firewall::rules::in::ssh::ipset: jumphost
profiles::vault::server::members_role: roles::infra::storage::vault
profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault
+12 -4
View File
@@ -1,7 +1,14 @@
# used by certbot clients to request letsencrypt certificates
# - domains: list of certificates to generate
# - webserver: where the client downloads certificates from
# - data_dir: where to store the certificates on the client
# - services: the services to notify when certificates change
#
class certbot::client (
Array[Stdlib::Fqdn] $domains,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
Optional[String] $service = undef,
) {
mkdir::p {$data_dir:}
@@ -14,10 +21,11 @@ class certbot::client (
$domains.each |$domain| {
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
notify_service => $service,
}
}
}
+15
View File
@@ -1,7 +1,13 @@
# a define for creating a single certificate
# - domain: the domain to generate a certificate for
# - webserver: where to download the certificate from
# - destination: the data directory on the client
# - notify_service: what service to notify when the concat exec completes
define certbot::client::cert (
Stdlib::Fqdn $domain,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
Optional[String] $notify_service = undef,
) {
file { $destination:
@@ -34,8 +40,16 @@ define certbot::client::cert (
}
}
# create file resources
create_resources(file, $files_to_create)
# if notify_service is specified
if $notify_service != undef {
$service = Service[$notify_service]
}else{
$service = undef
}
exec { "concat_${domain}_certs":
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
path => ['/bin', '/usr/bin'],
@@ -44,6 +58,7 @@ define certbot::client::cert (
File["${destination}/fullchain.pem"],
File["${destination}/privkey.pem"],
],
notify => $service,
}
} else {
notify { 'Certificates are not yet ready on the generator server.': }
+29
View File
@@ -0,0 +1,29 @@
# manage the firewall
class firewall (
Boolean $enable = false,
Hash $ipset_queries = {},
){
if $enable {
$ipset_queries.each |$ipset, $query| {
$ips = sort(query_nodes($query, 'networking.ip'))
nftables::set{$ipset:
type => 'ipv4_addr',
flags => ['dynamic'],
elements => $ips,
}
}
class {'nftables':
in_ssh => false,
in_icmp => true,
out_ntp => false,
out_dns => false,
out_http => false,
out_https => false,
out_icmp => true,
out_all => false,
}
}
}
@@ -0,0 +1,13 @@
class firewall::rules::in::cobbler (
Array[Stdlib::Port] $ports = [25150,25151],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-cobbler_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}
@@ -0,0 +1,39 @@
class firewall::rules::in::consul (
Boolean $is_server = false,
) {
# serf traffic (lan and wan)
nftables::rule { 'default_in-consul_udp_8301':
content => 'udp dport 8301 accept',
}
nftables::rule { 'default_in-consul_tcp_8301':
content => 'tcp dport 8301 accept',
}
nftables::rule { 'default_in-consul_udp_8302':
content => 'udp dport 8302 accept',
}
nftables::rule { 'default_in-consul_tcp_8302':
content => 'tcp dport 8302 accept',
}
if $is_server {
# dns interface
nftables::rule { 'default_in-consul_udp_8600':
content => 'udp dport 8600 accept',
}
nftables::rule { 'default_in-consul_tcp_8600':
content => 'tcp dport 8600 accept',
}
# communication with servers
nftables::rule { 'default_in-consul_tcp_8300':
content => 'tcp dport 8300 accept',
}
nftables::rule { 'default_in-consul_tcp_8500':
content => 'tcp dport 8500 accept',
}
nftables::rule { 'default_in-consul_tcp_8503':
content => 'tcp dport 8503 accept',
}
}
}
@@ -0,0 +1,5 @@
class firewall::rules::in::dhcp {
nftables::rule { 'default_in-dhcp':
content => 'udp sport {67, 68} udp dport {67, 68} accept';
}
}
@@ -0,0 +1,19 @@
class firewall::rules::in::dns (
Array[Stdlib::Port] $ports = [53],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
$protocols.each |$proto| {
if $ipset != '' {
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "${proto} dport ${port} accept"
}
nftables::rule { "default_in-dns_${proto}_${port}":
content => $rule,
}
}
}
}
@@ -0,0 +1,13 @@
# 9100: node_exporter
# 9558: sysstemd_exporter
class firewall::rules::in::exporters (
Array[Stdlib::Port] $ports = [9100,9558],
String $ipset = 'prometheus',
) {
$ports.each |$port| {
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
content => "tcp dport ${port} ip saddr @${ipset} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_in-http_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_in-https_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::mysql (
Array[Stdlib::Port] $ports = [3306],
) {
$ports.each |$port| {
nftables::rule { "default_in-mysql_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::ntp (
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_in-ntp_${port}":
content => "udp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::postgres (
Array[Stdlib::Port] $ports = [5432],
) {
$ports.each |$port| {
nftables::rule { "default_in-postgres_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::puppetdbapi (
Array[Stdlib::Port] $ports = [8080,8081],
) {
$ports.each |$port| {
nftables::rule { "default_in-puppetdbapi_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,16 @@
class firewall::rules::in::sshd (
Array[Stdlib::Port] $ports = [22],
Optional[String] $ipset = undef,
) {
$ports.each |$port| {
if $ipset != '' {
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
}else{
$rule = "tcp dport ${port} accept"
}
nftables::rule { "default_in-sshd_tcp_${port}":
content => $rule,
}
}
}
@@ -0,0 +1,13 @@
class firewall::rules::in::tftp (
Array[Stdlib::Port] $ports = [69],
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
) {
$ports.each |$port| {
$protocols.each |$proto| {
nftables::rule { "default_in-tftp_${proto}_${port}":
content => "${proto} dport ${port} accept",
}
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::in::vault (
Array[Stdlib::Port] $ports = [8200, 8201],
) {
$ports.each |$port| {
nftables::rule { "default_in-vaultserver_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,8 @@
class firewall::rules::out::ceph_client (
Array[Stdlib::Port,1] $ports = [3300, 6789],
) {
nftables::rule {
'default_out-ceph_client':
content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
}
}
@@ -0,0 +1,29 @@
class firewall::rules::out::consul (
String $ipset = 'consul',
) {
# serf traffic (lan and wan)
nftables::rule { 'default_out-consul_udp_8301':
content => 'udp dport 8301 accept',
}
nftables::rule { 'default_out-consul_tcp_8301':
content => 'tcp dport 8301 accept',
}
nftables::rule { 'default_out-consul_udp_8302':
content => 'udp dport 8302 accept',
}
nftables::rule { 'default_out-consul_tcp_8302':
content => 'tcp dport 8302 accept',
}
# communication with servers
nftables::rule { 'default_out-consul_tcp_8300':
content => "tcp dport 8300 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8500':
content => "tcp dport 8500 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-consul_tcp_8503':
content => "tcp dport 8503 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,5 @@
class firewall::rules::out::dhcp {
nftables::rule { 'default_out-dhcpc':
content => 'udp sport {67, 68} udp dport {67, 68} accept';
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::dns (
String $ipset = 'dns_resolver',
) {
nftables::rule { 'default_out-dns_udp_53':
content => "udp dport 53 ip daddr @${ipset} accept",
}
nftables::rule { 'default_out-dns_tcp_53':
content => "tcp dport 53 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,10 @@
class firewall::rules::out::http (
Array[Stdlib::Port] $ports = [80],
) {
$ports.each |$port| {
nftables::rule { "default_out-http_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,10 @@
class firewall::rules::out::https (
Array[Stdlib::Port] $ports = [443],
) {
$ports.each |$port| {
nftables::rule { "default_out-https_tcp_${port}":
content => "tcp dport ${port} accept",
}
}
}
@@ -0,0 +1,7 @@
class firewall::rules::out::mysql (
String $ipset = 'sql_galera',
){
nftables::rule { 'default_out-mysql_tcp_3306':
content => "tcp dport 3306 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::ntp (
String $ipset = 'ntp',
Array[Stdlib::Port] $ports = [123],
) {
$ports.each |$port| {
nftables::rule { "default_out-ntp_udp_${port}":
content => "udp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,7 @@
class firewall::rules::out::postgres (
String $ipset = 'sql_galera',
){
nftables::rule { 'default_out-postgres_tcp_5432':
content => "tcp dport 5432 ip daddr @${ipset} accept",
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::puppet (
String $ipset = 'puppetmaster',
Array[Stdlib::Port] $ports = [8140],
) {
$ports.each |$port| {
nftables::rule { "default_out-puppet_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}
@@ -0,0 +1,11 @@
class firewall::rules::out::vault (
String $ipset = 'vault',
Array[Stdlib::Port] $ports = [8200],
) {
$ports.each |$port| {
nftables::rule { "default_out-vault_${port}":
content => "tcp dport ${port} ip daddr @${ipset} accept",
}
}
}
+1
View File
@@ -38,6 +38,7 @@ class profiles::base (
include profiles::metrics::default
include profiles::helpers::node_lookup
include profiles::consul::client
include firewall
# include the python class
class { 'python':
-1
View File
@@ -4,7 +4,6 @@ class profiles::base::repos {
case $facts['os']['family'] {
'RedHat': {
include profiles::yum::global
include profiles::firewall::firewalld
}
'Debian': {
include profiles::apt::global
@@ -113,6 +113,7 @@ class profiles::nginx::simpleproxy (
proxy_cache_max_size => '1024m',
proxy_cache_inactive => '10m',
proxy_temp_path => '/var/cache/nginx/cache_temp',
service_manage => false,
}
# create the nginx vhost with the merged parameters
@@ -132,5 +133,11 @@ class profiles::nginx::simpleproxy (
value => 'on',
}
}
service { 'nginx':
ensure => true,
enable => true,
subscribe => [File[$selected_ssl_cert], File[$selected_ssl_key]],
}
}
}