Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 90ce015d43 | |||
| b9465cd78b | |||
| ce12303576 | |||
| 09a448ea52 | |||
| 1db8847833 | |||
| 6d919580e1 | |||
| 5549275ecc | |||
| 7acfea8547 | |||
| 318e816568 | |||
| 2ef4fb0bf8 | |||
| 2013641720 | |||
| 4bf4b42fdf |
+2
-1
@@ -11,7 +11,6 @@ mod 'puppetlabs-apt', '9.4.0'
|
|||||||
mod 'puppetlabs-lvm', '2.1.0'
|
mod 'puppetlabs-lvm', '2.1.0'
|
||||||
mod 'puppetlabs-puppetdb', '7.13.0'
|
mod 'puppetlabs-puppetdb', '7.13.0'
|
||||||
mod 'puppetlabs-postgresql', '9.1.0'
|
mod 'puppetlabs-postgresql', '9.1.0'
|
||||||
mod 'puppetlabs-firewall', '6.0.0'
|
|
||||||
mod 'puppetlabs-accounts', '8.1.0'
|
mod 'puppetlabs-accounts', '8.1.0'
|
||||||
mod 'puppetlabs-mysql', '15.0.0'
|
mod 'puppetlabs-mysql', '15.0.0'
|
||||||
mod 'puppetlabs-xinetd', '3.4.1'
|
mod 'puppetlabs-xinetd', '3.4.1'
|
||||||
@@ -42,6 +41,8 @@ mod 'puppet-filemapper', '4.0.0'
|
|||||||
mod 'puppet-letsencrypt', '11.0.0'
|
mod 'puppet-letsencrypt', '11.0.0'
|
||||||
mod 'puppet-rundeck', '9.1.0'
|
mod 'puppet-rundeck', '9.1.0'
|
||||||
mod 'puppet-redis', '11.0.0'
|
mod 'puppet-redis', '11.0.0'
|
||||||
|
mod 'puppet-ipset', '4.3.0'
|
||||||
|
mod 'puppet-nftables', '4.0.0'
|
||||||
|
|
||||||
# other
|
# other
|
||||||
mod 'ghoneycutt-puppet', '3.3.0'
|
mod 'ghoneycutt-puppet', '3.3.0'
|
||||||
|
|||||||
@@ -143,6 +143,15 @@ hiera_include:
|
|||||||
- networking
|
- networking
|
||||||
- ssh::server
|
- ssh::server
|
||||||
- profiles::accounts::rundeck
|
- profiles::accounts::rundeck
|
||||||
|
- firewall::rules::in::exporters
|
||||||
|
- firewall::rules::in::consul
|
||||||
|
- firewall::rules::out::consul
|
||||||
|
- firewall::rules::out::dns
|
||||||
|
- firewall::rules::out::http
|
||||||
|
- firewall::rules::out::https
|
||||||
|
- firewall::rules::out::ntp
|
||||||
|
- firewall::rules::out::puppet
|
||||||
|
- firewall::rules::out::vault
|
||||||
|
|
||||||
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
profiles::ntp::client::ntp_role: 'roles::infra::ntp::server'
|
||||||
profiles::ntp::client::use_ntp: 'region'
|
profiles::ntp::client::use_ntp: 'region'
|
||||||
@@ -341,3 +350,31 @@ profiles::ceph::client::mons:
|
|||||||
# aliases:
|
# aliases:
|
||||||
# - prodinf01n22
|
# - prodinf01n22
|
||||||
# - repos.main.unkin.net
|
# - repos.main.unkin.net
|
||||||
|
|
||||||
|
firewall::enable: true
|
||||||
|
firewall::ipset_queries:
|
||||||
|
certbot: "enc_role=roles::infra::pki::certbot"
|
||||||
|
cobbler: "enc_role=roles::infra::cobbler::server"
|
||||||
|
consul: "enc_role=roles::infra::storage::consul"
|
||||||
|
dhcp: "enc_role=roles::infra::dhcp::server"
|
||||||
|
dns_master: "enc_role=roles::infra::dns::master"
|
||||||
|
dns_resolver: "enc_role=roles::infra::dns::resolver"
|
||||||
|
edgecache: "enc_role=roles::infra::storage::edgecache"
|
||||||
|
gitea_runner: "enc_role=roles::infra::git::runner"
|
||||||
|
gitea_server: "enc_role=roles::infra::git::gitea"
|
||||||
|
glauth: "enc_role=roles::infra::auth::glauth"
|
||||||
|
gonic: "enc_role=roles::apps::music::gonic"
|
||||||
|
grafana: "enc_role=roles::infra::metrics::grafana"
|
||||||
|
haproxy: "enc_role=roles::infra::halb::haproxy"
|
||||||
|
jumphost: "enc_role=roles::infra::proxy::jumphost"
|
||||||
|
ntp: "enc_role=roles::infra::ntp::server"
|
||||||
|
prometheus: "enc_role=roles::infra::metrics::prometheus"
|
||||||
|
puppetboard: "enc_role=roles::infra::puppetboard::server"
|
||||||
|
puppetmaster: "enc_role=roles::infra::puppet::master"
|
||||||
|
puppetdb_sql: "enc_role=roles::infra::puppetdb::sql"
|
||||||
|
puppetdb_api: "enc_role=roles::infra::puppetdb::api"
|
||||||
|
redis: "enc_role=roles::infra::db::redis"
|
||||||
|
rundeck: "enc_role=roles::infra::automation::rundeck"
|
||||||
|
sql_galera: "enc_role=roles::infra::sql::galera"
|
||||||
|
sql_patroni: "enc_role=roles::infra::sql::patroni"
|
||||||
|
vault: "enc_role=roles::infra::storage::vault"
|
||||||
|
|||||||
@@ -260,6 +260,7 @@ profiles::haproxy::dns::cnames:
|
|||||||
- au-syd1-pve-api.main.unkin.net
|
- au-syd1-pve-api.main.unkin.net
|
||||||
|
|
||||||
# letsencrypt certificates
|
# letsencrypt certificates
|
||||||
|
certbot::client::service: haproxy
|
||||||
certbot::client::domains:
|
certbot::client::domains:
|
||||||
- au-syd1-pve.main.unkin.net
|
- au-syd1-pve.main.unkin.net
|
||||||
- au-syd1-pve-api.main.unkin.net
|
- au-syd1-pve-api.main.unkin.net
|
||||||
|
|||||||
@@ -10,6 +10,8 @@ hiera_include:
|
|||||||
|
|
||||||
profiles::packages::include:
|
profiles::packages::include:
|
||||||
lzo: {}
|
lzo: {}
|
||||||
|
firewalld:
|
||||||
|
ensure: absent
|
||||||
network-scripts: {}
|
network-scripts: {}
|
||||||
policycoreutils: {}
|
policycoreutils: {}
|
||||||
unar: {}
|
unar: {}
|
||||||
|
|||||||
@@ -62,6 +62,7 @@ glauth::users:
|
|||||||
- 20017
|
- 20017
|
||||||
- 20018
|
- 20018
|
||||||
- 20023
|
- 20023
|
||||||
|
- 20024
|
||||||
loginshell: '/bin/bash'
|
loginshell: '/bin/bash'
|
||||||
homedir: '/home/benvin'
|
homedir: '/home/benvin'
|
||||||
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
|
||||||
@@ -138,8 +139,8 @@ glauth::users:
|
|||||||
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
|
passsha256: '5b01659bca1ecb27847d2f746fab03eb169879ebcc86547024753dac7cb184c4'
|
||||||
ryadun:
|
ryadun:
|
||||||
user_name: 'ryadun'
|
user_name: 'ryadun'
|
||||||
givenname: 'Dunbar'
|
givenname: 'Ryan'
|
||||||
sn: 'Ryan'
|
sn: 'Dunbar'
|
||||||
mail: 'ryadun@users.main.unkin.net'
|
mail: 'ryadun@users.main.unkin.net'
|
||||||
uidnumber: 20005
|
uidnumber: 20005
|
||||||
primarygroup: 20000
|
primarygroup: 20000
|
||||||
@@ -153,6 +154,23 @@ glauth::users:
|
|||||||
loginshell: '/bin/bash'
|
loginshell: '/bin/bash'
|
||||||
homedir: '/home/ryadun'
|
homedir: '/home/ryadun'
|
||||||
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
|
passsha256: 'ee17174d49545f6f7257ae79eb173de4acf2b2edf55e181de90decd0e4b4e617'
|
||||||
|
margol:
|
||||||
|
user_name: 'margol'
|
||||||
|
givenname: 'Maree'
|
||||||
|
sn: 'Goldsworthy'
|
||||||
|
mail: 'margol@users.main.unkin.net'
|
||||||
|
uidnumber: 20006
|
||||||
|
primarygroup: 20000
|
||||||
|
othergroups:
|
||||||
|
- 20010 # jelly
|
||||||
|
- 20011 # sonarr
|
||||||
|
- 20012 # radarr
|
||||||
|
- 20013 # lidarr
|
||||||
|
- 20014 # readarr
|
||||||
|
- 20016 # nzbget
|
||||||
|
loginshell: '/bin/bash'
|
||||||
|
homedir: '/home/margol'
|
||||||
|
passsha256: '31a66085fb7eaeb059e51d1376233db72b54f96a6c45947aafbb350c83e618ef'
|
||||||
|
|
||||||
glauth::services:
|
glauth::services:
|
||||||
svc_jellyfin:
|
svc_jellyfin:
|
||||||
@@ -273,3 +291,6 @@ glauth::groups:
|
|||||||
vault_access:
|
vault_access:
|
||||||
group_name: 'vault_access'
|
group_name: 'vault_access'
|
||||||
gidnumber: 20023
|
gidnumber: 20023
|
||||||
|
vault_admin:
|
||||||
|
group_name: 'vault_admin'
|
||||||
|
gidnumber: 20024
|
||||||
|
|||||||
@@ -19,3 +19,8 @@ profiles::selinux::setenforce::mode: permissive
|
|||||||
|
|
||||||
hiera_include:
|
hiera_include:
|
||||||
- profiles::selinux::setenforce
|
- profiles::selinux::setenforce
|
||||||
|
- firewall::rules::in::cobbler
|
||||||
|
- firewall::rules::in::http
|
||||||
|
- firewall::rules::in::https
|
||||||
|
- firewall::rules::in::tftp
|
||||||
|
- firewall::rules::in::sshd
|
||||||
|
|||||||
@@ -1,4 +1,8 @@
|
|||||||
---
|
---
|
||||||
|
hiera_include:
|
||||||
|
- firewall::rules::in::dhcp
|
||||||
|
- firewall::rules::in::sshd
|
||||||
|
|
||||||
profiles::dhcp::server::ntpservers:
|
profiles::dhcp::server::ntpservers:
|
||||||
- ntp01.main.unkin.net
|
- ntp01.main.unkin.net
|
||||||
- ntp02.main.unkin.net
|
- ntp02.main.unkin.net
|
||||||
|
|||||||
@@ -2,6 +2,8 @@
|
|||||||
hiera_include:
|
hiera_include:
|
||||||
- certbot
|
- certbot
|
||||||
- profiles::pki::puppetcerts
|
- profiles::pki::puppetcerts
|
||||||
|
- firewall::rules::in::sshd
|
||||||
|
- firewall::rules::in::https
|
||||||
|
|
||||||
certbot::domains:
|
certbot::domains:
|
||||||
- au-syd1-pve.main.unkin.net
|
- au-syd1-pve.main.unkin.net
|
||||||
|
|||||||
@@ -37,3 +37,12 @@ profiles::consul::client::node_rules:
|
|||||||
- resource: service
|
- resource: service
|
||||||
segment: puppetdbapi
|
segment: puppetdbapi
|
||||||
disposition: write
|
disposition: write
|
||||||
|
|
||||||
|
hiera_include:
|
||||||
|
- firewall::rules::in::sshd
|
||||||
|
- firewall::rules::in::puppetdbapi
|
||||||
|
|
||||||
|
firewall::rules::in::exporters::ports:
|
||||||
|
- 9100
|
||||||
|
- 9558
|
||||||
|
- 9635
|
||||||
|
|||||||
@@ -1,4 +1,13 @@
|
|||||||
---
|
---
|
||||||
|
hiera_include:
|
||||||
|
- firewall::rules::in::consul
|
||||||
|
- firewall::rules::in::dns
|
||||||
|
- firewall::rules::in::http
|
||||||
|
- firewall::rules::in::https
|
||||||
|
- firewall::rules::in::sshd
|
||||||
|
|
||||||
|
firewall::rules::in::consul::is_server: true
|
||||||
|
|
||||||
profiles::consul::server::members_lookup: true
|
profiles::consul::server::members_lookup: true
|
||||||
profiles::consul::server::data_dir: /data/consul
|
profiles::consul::server::data_dir: /data/consul
|
||||||
profiles::consul::server::addresses:
|
profiles::consul::server::addresses:
|
||||||
|
|||||||
@@ -1,4 +1,10 @@
|
|||||||
---
|
---
|
||||||
|
hiera_include:
|
||||||
|
- firewall::rules::in::sshd
|
||||||
|
- firewall::rules::in::vault
|
||||||
|
|
||||||
|
firewall::rules::in::ssh::ipset: jumphost
|
||||||
|
|
||||||
profiles::vault::server::members_role: roles::infra::storage::vault
|
profiles::vault::server::members_role: roles::infra::storage::vault
|
||||||
profiles::vault::server::members_lookup: true
|
profiles::vault::server::members_lookup: true
|
||||||
profiles::vault::server::data_dir: /data/vault
|
profiles::vault::server::data_dir: /data/vault
|
||||||
|
|||||||
@@ -1,7 +1,14 @@
|
|||||||
|
# used by certbot clients to request letsencrypt certificates
|
||||||
|
# - domains: list of certificates to generate
|
||||||
|
# - webserver: where the client downloads certificates from
|
||||||
|
# - data_dir: where to store the certificates on the client
|
||||||
|
# - services: the services to notify when certificates change
|
||||||
|
#
|
||||||
class certbot::client (
|
class certbot::client (
|
||||||
Array[Stdlib::Fqdn] $domains,
|
Array[Stdlib::Fqdn] $domains,
|
||||||
Stdlib::Fqdn $webserver,
|
Stdlib::Fqdn $webserver,
|
||||||
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
|
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
|
||||||
|
Optional[String] $service = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
mkdir::p {$data_dir:}
|
mkdir::p {$data_dir:}
|
||||||
@@ -14,10 +21,11 @@ class certbot::client (
|
|||||||
|
|
||||||
$domains.each |$domain| {
|
$domains.each |$domain| {
|
||||||
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
|
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
|
||||||
domain => $domain,
|
domain => $domain,
|
||||||
destination => "${data_dir}/${domain}",
|
destination => "${data_dir}/${domain}",
|
||||||
webserver => $webserver,
|
webserver => $webserver,
|
||||||
require => File[$data_dir],
|
require => File[$data_dir],
|
||||||
|
notify_service => $service,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,7 +1,13 @@
|
|||||||
|
# a define for creating a single certificate
|
||||||
|
# - domain: the domain to generate a certificate for
|
||||||
|
# - webserver: where to download the certificate from
|
||||||
|
# - destination: the data directory on the client
|
||||||
|
# - notify_service: what service to notify when the concat exec completes
|
||||||
define certbot::client::cert (
|
define certbot::client::cert (
|
||||||
Stdlib::Fqdn $domain,
|
Stdlib::Fqdn $domain,
|
||||||
Stdlib::Fqdn $webserver,
|
Stdlib::Fqdn $webserver,
|
||||||
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
||||||
|
Optional[String] $notify_service = undef,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
file { $destination:
|
file { $destination:
|
||||||
@@ -34,8 +40,16 @@ define certbot::client::cert (
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# create file resources
|
||||||
create_resources(file, $files_to_create)
|
create_resources(file, $files_to_create)
|
||||||
|
|
||||||
|
# if notify_service is specified
|
||||||
|
if $notify_service != undef {
|
||||||
|
$service = Service[$notify_service]
|
||||||
|
}else{
|
||||||
|
$service = undef
|
||||||
|
}
|
||||||
|
|
||||||
exec { "concat_${domain}_certs":
|
exec { "concat_${domain}_certs":
|
||||||
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
||||||
path => ['/bin', '/usr/bin'],
|
path => ['/bin', '/usr/bin'],
|
||||||
@@ -44,6 +58,7 @@ define certbot::client::cert (
|
|||||||
File["${destination}/fullchain.pem"],
|
File["${destination}/fullchain.pem"],
|
||||||
File["${destination}/privkey.pem"],
|
File["${destination}/privkey.pem"],
|
||||||
],
|
],
|
||||||
|
notify => $service,
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
notify { 'Certificates are not yet ready on the generator server.': }
|
notify { 'Certificates are not yet ready on the generator server.': }
|
||||||
|
|||||||
@@ -0,0 +1,29 @@
|
|||||||
|
# manage the firewall
|
||||||
|
class firewall (
|
||||||
|
Boolean $enable = false,
|
||||||
|
Hash $ipset_queries = {},
|
||||||
|
){
|
||||||
|
|
||||||
|
if $enable {
|
||||||
|
$ipset_queries.each |$ipset, $query| {
|
||||||
|
$ips = sort(query_nodes($query, 'networking.ip'))
|
||||||
|
|
||||||
|
nftables::set{$ipset:
|
||||||
|
type => 'ipv4_addr',
|
||||||
|
flags => ['dynamic'],
|
||||||
|
elements => $ips,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
class {'nftables':
|
||||||
|
in_ssh => false,
|
||||||
|
in_icmp => true,
|
||||||
|
out_ntp => false,
|
||||||
|
out_dns => false,
|
||||||
|
out_http => false,
|
||||||
|
out_https => false,
|
||||||
|
out_icmp => true,
|
||||||
|
out_all => false,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
class firewall::rules::in::cobbler (
|
||||||
|
Array[Stdlib::Port] $ports = [25150,25151],
|
||||||
|
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
$protocols.each |$proto| {
|
||||||
|
nftables::rule { "default_in-cobbler_${proto}_${port}":
|
||||||
|
content => "${proto} dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,39 @@
|
|||||||
|
class firewall::rules::in::consul (
|
||||||
|
Boolean $is_server = false,
|
||||||
|
) {
|
||||||
|
|
||||||
|
# serf traffic (lan and wan)
|
||||||
|
nftables::rule { 'default_in-consul_udp_8301':
|
||||||
|
content => 'udp dport 8301 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_in-consul_tcp_8301':
|
||||||
|
content => 'tcp dport 8301 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_in-consul_udp_8302':
|
||||||
|
content => 'udp dport 8302 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_in-consul_tcp_8302':
|
||||||
|
content => 'tcp dport 8302 accept',
|
||||||
|
}
|
||||||
|
|
||||||
|
if $is_server {
|
||||||
|
# dns interface
|
||||||
|
nftables::rule { 'default_in-consul_udp_8600':
|
||||||
|
content => 'udp dport 8600 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_in-consul_tcp_8600':
|
||||||
|
content => 'tcp dport 8600 accept',
|
||||||
|
}
|
||||||
|
|
||||||
|
# communication with servers
|
||||||
|
nftables::rule { 'default_in-consul_tcp_8300':
|
||||||
|
content => 'tcp dport 8300 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_in-consul_tcp_8500':
|
||||||
|
content => 'tcp dport 8500 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_in-consul_tcp_8503':
|
||||||
|
content => 'tcp dport 8503 accept',
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
class firewall::rules::in::dhcp {
|
||||||
|
nftables::rule { 'default_in-dhcp':
|
||||||
|
content => 'udp sport {67, 68} udp dport {67, 68} accept';
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
class firewall::rules::in::dns (
|
||||||
|
Array[Stdlib::Port] $ports = [53],
|
||||||
|
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||||
|
Optional[String] $ipset = undef,
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
$protocols.each |$proto| {
|
||||||
|
if $ipset != '' {
|
||||||
|
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
|
||||||
|
}else{
|
||||||
|
$rule = "${proto} dport ${port} accept"
|
||||||
|
}
|
||||||
|
nftables::rule { "default_in-dns_${proto}_${port}":
|
||||||
|
content => $rule,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
# 9100: node_exporter
|
||||||
|
# 9558: sysstemd_exporter
|
||||||
|
class firewall::rules::in::exporters (
|
||||||
|
Array[Stdlib::Port] $ports = [9100,9558],
|
||||||
|
String $ipset = 'prometheus',
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
|
||||||
|
content => "tcp dport ${port} ip saddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::in::http (
|
||||||
|
Array[Stdlib::Port] $ports = [80],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_in-http_${port}":
|
||||||
|
content => "tcp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::in::https (
|
||||||
|
Array[Stdlib::Port] $ports = [443],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_in-https_${port}":
|
||||||
|
content => "tcp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::in::mysql (
|
||||||
|
Array[Stdlib::Port] $ports = [3306],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_in-mysql_${port}":
|
||||||
|
content => "tcp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::in::ntp (
|
||||||
|
Array[Stdlib::Port] $ports = [123],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_in-ntp_${port}":
|
||||||
|
content => "udp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::in::postgres (
|
||||||
|
Array[Stdlib::Port] $ports = [5432],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_in-postgres_${port}":
|
||||||
|
content => "tcp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::in::puppetdbapi (
|
||||||
|
Array[Stdlib::Port] $ports = [8080,8081],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_in-puppetdbapi_${port}":
|
||||||
|
content => "tcp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
class firewall::rules::in::sshd (
|
||||||
|
Array[Stdlib::Port] $ports = [22],
|
||||||
|
Optional[String] $ipset = undef,
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
if $ipset != '' {
|
||||||
|
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
|
||||||
|
}else{
|
||||||
|
$rule = "tcp dport ${port} accept"
|
||||||
|
}
|
||||||
|
nftables::rule { "default_in-sshd_tcp_${port}":
|
||||||
|
content => $rule,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
class firewall::rules::in::tftp (
|
||||||
|
Array[Stdlib::Port] $ports = [69],
|
||||||
|
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
$protocols.each |$proto| {
|
||||||
|
nftables::rule { "default_in-tftp_${proto}_${port}":
|
||||||
|
content => "${proto} dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::in::vault (
|
||||||
|
Array[Stdlib::Port] $ports = [8200, 8201],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_in-vaultserver_${port}":
|
||||||
|
content => "tcp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
class firewall::rules::out::ceph_client (
|
||||||
|
Array[Stdlib::Port,1] $ports = [3300, 6789],
|
||||||
|
) {
|
||||||
|
nftables::rule {
|
||||||
|
'default_out-ceph_client':
|
||||||
|
content => "tcp dport { ${$ports.join(', ')}, 6800-7300 } accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
class firewall::rules::out::consul (
|
||||||
|
String $ipset = 'consul',
|
||||||
|
) {
|
||||||
|
|
||||||
|
# serf traffic (lan and wan)
|
||||||
|
nftables::rule { 'default_out-consul_udp_8301':
|
||||||
|
content => 'udp dport 8301 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_out-consul_tcp_8301':
|
||||||
|
content => 'tcp dport 8301 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_out-consul_udp_8302':
|
||||||
|
content => 'udp dport 8302 accept',
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_out-consul_tcp_8302':
|
||||||
|
content => 'tcp dport 8302 accept',
|
||||||
|
}
|
||||||
|
|
||||||
|
# communication with servers
|
||||||
|
nftables::rule { 'default_out-consul_tcp_8300':
|
||||||
|
content => "tcp dport 8300 ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_out-consul_tcp_8500':
|
||||||
|
content => "tcp dport 8500 ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_out-consul_tcp_8503':
|
||||||
|
content => "tcp dport 8503 ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
class firewall::rules::out::dhcp {
|
||||||
|
nftables::rule { 'default_out-dhcpc':
|
||||||
|
content => 'udp sport {67, 68} udp dport {67, 68} accept';
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
class firewall::rules::out::dns (
|
||||||
|
String $ipset = 'dns_resolver',
|
||||||
|
) {
|
||||||
|
|
||||||
|
nftables::rule { 'default_out-dns_udp_53':
|
||||||
|
content => "udp dport 53 ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
nftables::rule { 'default_out-dns_tcp_53':
|
||||||
|
content => "tcp dport 53 ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::out::http (
|
||||||
|
Array[Stdlib::Port] $ports = [80],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_out-http_tcp_${port}":
|
||||||
|
content => "tcp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
class firewall::rules::out::https (
|
||||||
|
Array[Stdlib::Port] $ports = [443],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_out-https_tcp_${port}":
|
||||||
|
content => "tcp dport ${port} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
class firewall::rules::out::mysql (
|
||||||
|
String $ipset = 'sql_galera',
|
||||||
|
){
|
||||||
|
nftables::rule { 'default_out-mysql_tcp_3306':
|
||||||
|
content => "tcp dport 3306 ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
class firewall::rules::out::ntp (
|
||||||
|
String $ipset = 'ntp',
|
||||||
|
Array[Stdlib::Port] $ports = [123],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_out-ntp_udp_${port}":
|
||||||
|
content => "udp dport ${port} ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
class firewall::rules::out::postgres (
|
||||||
|
String $ipset = 'sql_galera',
|
||||||
|
){
|
||||||
|
nftables::rule { 'default_out-postgres_tcp_5432':
|
||||||
|
content => "tcp dport 5432 ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
class firewall::rules::out::puppet (
|
||||||
|
String $ipset = 'puppetmaster',
|
||||||
|
Array[Stdlib::Port] $ports = [8140],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_out-puppet_${port}":
|
||||||
|
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
class firewall::rules::out::vault (
|
||||||
|
String $ipset = 'vault',
|
||||||
|
Array[Stdlib::Port] $ports = [8200],
|
||||||
|
) {
|
||||||
|
|
||||||
|
$ports.each |$port| {
|
||||||
|
nftables::rule { "default_out-vault_${port}":
|
||||||
|
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -38,6 +38,7 @@ class profiles::base (
|
|||||||
include profiles::metrics::default
|
include profiles::metrics::default
|
||||||
include profiles::helpers::node_lookup
|
include profiles::helpers::node_lookup
|
||||||
include profiles::consul::client
|
include profiles::consul::client
|
||||||
|
include firewall
|
||||||
|
|
||||||
# include the python class
|
# include the python class
|
||||||
class { 'python':
|
class { 'python':
|
||||||
|
|||||||
@@ -4,7 +4,6 @@ class profiles::base::repos {
|
|||||||
case $facts['os']['family'] {
|
case $facts['os']['family'] {
|
||||||
'RedHat': {
|
'RedHat': {
|
||||||
include profiles::yum::global
|
include profiles::yum::global
|
||||||
include profiles::firewall::firewalld
|
|
||||||
}
|
}
|
||||||
'Debian': {
|
'Debian': {
|
||||||
include profiles::apt::global
|
include profiles::apt::global
|
||||||
|
|||||||
@@ -113,6 +113,7 @@ class profiles::nginx::simpleproxy (
|
|||||||
proxy_cache_max_size => '1024m',
|
proxy_cache_max_size => '1024m',
|
||||||
proxy_cache_inactive => '10m',
|
proxy_cache_inactive => '10m',
|
||||||
proxy_temp_path => '/var/cache/nginx/cache_temp',
|
proxy_temp_path => '/var/cache/nginx/cache_temp',
|
||||||
|
service_manage => false,
|
||||||
}
|
}
|
||||||
|
|
||||||
# create the nginx vhost with the merged parameters
|
# create the nginx vhost with the merged parameters
|
||||||
@@ -132,5 +133,11 @@ class profiles::nginx::simpleproxy (
|
|||||||
value => 'on',
|
value => 'on',
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
service { 'nginx':
|
||||||
|
ensure => true,
|
||||||
|
enable => true,
|
||||||
|
subscribe => [File[$selected_ssl_cert], File[$selected_ssl_key]],
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user