bundles: use a common metadata key for firewall restrictions, use repo.libs.tools.resolve_identifier()

2021-02-15 14:16:35 +01:00 · 2021-02-15 14:16:35 +01:00 · 5c1eba0d58
commit 5c1eba0d58
parent 9a2f9038c4
8 changed files with 92 additions and 49 deletions
--- a/nodes/home/downloadhelper.py
+++ b/nodes/home/downloadhelper.py
@ -31,8 +31,8 @@ nodes['home.downloadhelper'] = {
            'exclude_from_backups': True,
        },
        'netdata': {
-            'restrict-to-interfaces': {
-                'enp1s0.42',
+            'restrict-to': {
+                '172.19.136.0/22',
            },
        },
        'nfs-client': {
@ -52,8 +52,8 @@ nodes['home.downloadhelper'] = {
                'download-dir': '/mnt/nas',
                'download-queue-size': 10,
            },
-            'webinterface-on-interfaces': {
-                'enp1s0.42',
+            'restrict-to': {
+                '172.19.136.0/22',
            },
        },
    },
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -82,16 +82,14 @@ nodes['home.router'] = {
            ],
        },
        'netdata': {
-            'restrict-to-interfaces': {
-                'enp1s0.42',
-                'wg0',
+            'restrict-to': {
+                '172.19.136.0/22',
            },
        },
        'nginx': {
            'use_ssl_for_all_connections': False,
-            'restrict-to-interfaces': {
-                'enp1s0.42',
-                'wg0',
+            'restrict-to': {
+                '172.19.136.0/22',
            },
        },
        'openvpn-client': {
@ -115,9 +113,8 @@ nodes['home.router'] = {
            },
        },
        'unbound': {
-            'restrict-to-interfaces': {
-                'enp1s0.23',
-                'enp1s0.42',
+            'restrict-to': {
+                '172.19.138.0/23',
            },
        },
        'users': {
--- a/nodes/ovh/icinga2.py
+++ b/nodes/ovh/icinga2.py
@ -46,6 +46,9 @@ nodes['ovh.icinga2'] = {
                    },
                },
            },
+            'restrict-to': {
+                '172.19.138.0/24',
+            },
            'sipgate_user': vault.decrypt('encrypt$gAAAAABfujAmCUnicSAllq8MskXnPodKp3cGcfA6Abvef-rAYwB2CtCwt9oBRVKFskJPVArDaF1wfjNTfLwgX3gTP7xFutJ1HA=='),
            'sipgate_pass': vault.decrypt('encrypt$gAAAAABfui_4B7UmOosI_gsQ-xvmd3X_BUDSl-G2KF_Tg8O6RpUvk0gHexOKsrTb6se1ipXsh7RC9pbZCKMtesW0C6j24LHXDKCOjkqI77oO0ZjnG6SUwfcJqg61biNiRlXy8z-9LCGA'),
        },
@ -68,12 +71,6 @@ nodes['ovh.icinga2'] = {
                },
            },
        },
-        'iptables': {
-            'custom_rules': {
-                # icinga2 api
-                'iptables -A INPUT -i wg0 -p tcp --dport 5665 -j ACCEPT',
-            },
-        },
        'nginx': {
            'vhosts': {
                'icingaweb': {