bundles: use a common metadata key for firewall restrictions, use repo.libs.tools.resolve_identifier()
All checks were successful
bundlewrap/pipeline/head This commit looks good
All checks were successful
bundlewrap/pipeline/head This commit looks good
This commit is contained in:
parent
9a2f9038c4
commit
5c1eba0d58
GPG key ID:
12E3D2136B818350
8 changed files with 92 additions and 49 deletions
|
|
@ -96,3 +96,28 @@ def add_users_from_json(metadata):
|
||||||
'icinga_users': users,
|
'icinga_users': users,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@metadata_reactor.provides(
|
||||||
|
'iptables/bundle_rules/icinga2',
|
||||||
|
)
|
||||||
|
def iptables(metadata):
|
||||||
|
identifiers = metadata.get('icinga2/restrict-to', set())
|
||||||
|
rules = set()
|
||||||
|
|
||||||
|
if identifiers:
|
||||||
|
for identifier in sorted(identifiers):
|
||||||
|
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
|
||||||
|
|
||||||
|
for address in resolved['ipv4']:
|
||||||
|
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 5665 -j ACCEPT')
|
||||||
|
else:
|
||||||
|
rules.add('iptables -A INPUT -p tcp --dport 5665 -j ACCEPT')
|
||||||
|
|
||||||
|
return {
|
||||||
|
'iptables': {
|
||||||
|
'bundle_rules': {
|
||||||
|
'icinga2': list(sorted(rules)),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -20,20 +20,22 @@ defaults = {
|
||||||
'iptables/bundle_rules/netdata',
|
'iptables/bundle_rules/netdata',
|
||||||
)
|
)
|
||||||
def iptables(metadata):
|
def iptables(metadata):
|
||||||
interfaces = metadata.get('netdata/restrict-to-interfaces', set())
|
identifiers = metadata.get('netdata/restrict-to', set())
|
||||||
rules = []
|
rules = set()
|
||||||
|
|
||||||
if interfaces:
|
if identifiers:
|
||||||
for iface in sorted(interfaces):
|
for identifier in sorted(identifiers):
|
||||||
rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 19999 -j ACCEPT')
|
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
|
||||||
|
|
||||||
|
for address in resolved['ipv4']:
|
||||||
|
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 19999 -j ACCEPT')
|
||||||
else:
|
else:
|
||||||
rules.append('iptables_both -A INPUT -p tcp --dport 19999 -j ACCEPT')
|
rules.add('iptables -A INPUT -p tcp --dport 19999 -j ACCEPT')
|
||||||
|
|
||||||
return {
|
return {
|
||||||
'iptables': {
|
'iptables': {
|
||||||
'bundle_rules': {
|
'bundle_rules': {
|
||||||
'netdata': rules,
|
'netdata': list(sorted(rules)),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -146,22 +146,28 @@ def monitoring(metadata):
|
||||||
'iptables/bundle_rules/nginx',
|
'iptables/bundle_rules/nginx',
|
||||||
)
|
)
|
||||||
def iptables(metadata):
|
def iptables(metadata):
|
||||||
interfaces = metadata.get('nginx/restrict-to-interfaces', set())
|
identifiers = metadata.get('nginx/restrict-to', set())
|
||||||
rules = []
|
rules = set()
|
||||||
|
|
||||||
if interfaces:
|
if identifiers:
|
||||||
for iface in sorted(interfaces):
|
for identifier in sorted(identifiers):
|
||||||
rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 80 -j ACCEPT')
|
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
|
||||||
rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 443 -j ACCEPT')
|
|
||||||
|
|
||||||
|
for address in resolved['ipv4']:
|
||||||
|
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
|
||||||
|
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
|
||||||
|
|
||||||
|
for address in resolved['ipv6']:
|
||||||
|
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
|
||||||
|
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
|
||||||
else:
|
else:
|
||||||
rules.append('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
|
rules.add('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
|
||||||
rules.append('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')
|
rules.add('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')
|
||||||
|
|
||||||
return {
|
return {
|
||||||
'iptables': {
|
'iptables': {
|
||||||
'bundle_rules': {
|
'bundle_rules': {
|
||||||
'nginx': rules,
|
'nginx': list(sorted(rules)),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -37,26 +37,34 @@ defaults = {
|
||||||
'iptables/bundle_rules/transmission',
|
'iptables/bundle_rules/transmission',
|
||||||
)
|
)
|
||||||
def iptables(metadata):
|
def iptables(metadata):
|
||||||
interfaces = metadata.get('transmission/webinterface-on-interfaces', set())
|
identifiers = metadata.get('transmission/restrict-to', set())
|
||||||
rules = []
|
rules = set()
|
||||||
|
|
||||||
rules.append('iptables_both -A INPUT -p udp --dport {} -j ACCEPT'.format(
|
rules.add('iptables_both -A INPUT -p udp --dport {} -j ACCEPT'.format(
|
||||||
metadata.get('transmission/config/peer-port'),
|
metadata.get('transmission/config/peer-port'),
|
||||||
))
|
))
|
||||||
rules.append('iptables_both -A INPUT -p tcp --dport {} -j ACCEPT'.format(
|
rules.add('iptables_both -A INPUT -p tcp --dport {} -j ACCEPT'.format(
|
||||||
metadata.get('transmission/config/peer-port'),
|
metadata.get('transmission/config/peer-port'),
|
||||||
))
|
))
|
||||||
|
|
||||||
for iface in sorted(interfaces):
|
if identifiers:
|
||||||
rules.append('iptables_both -A INPUT -i {} -p tcp --dport {} -j ACCEPT'.format(
|
for identifier in sorted(identifiers):
|
||||||
iface,
|
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
|
||||||
|
|
||||||
|
for address in resolved['ipv4']:
|
||||||
|
rules.add('iptables -A INPUT -p tcp -s {} --dport {} -j ACCEPT'.format(
|
||||||
|
address,
|
||||||
|
metadata.get('transmission/config/rpc-port'),
|
||||||
|
))
|
||||||
|
else:
|
||||||
|
rules.add('iptables -A INPUT -p tcp --dport {} -j ACCEPT'.format(
|
||||||
metadata.get('transmission/config/rpc-port'),
|
metadata.get('transmission/config/rpc-port'),
|
||||||
))
|
))
|
||||||
|
|
||||||
return {
|
return {
|
||||||
'iptables': {
|
'iptables': {
|
||||||
'bundle_rules': {
|
'bundle_rules': {
|
||||||
'transmission': rules,
|
'transmission': list(sorted(rules)),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -41,17 +41,25 @@ def cpu_cores_to_config_values(metadata):
|
||||||
'iptables/bundle_rules/unbound',
|
'iptables/bundle_rules/unbound',
|
||||||
)
|
)
|
||||||
def iptables(metadata):
|
def iptables(metadata):
|
||||||
interfaces = metadata.get('unbound/restrict-to-interfaces', set())
|
identifiers = metadata.get('unbound/restrict-to', set())
|
||||||
rules = []
|
rules = set()
|
||||||
|
|
||||||
for iface in sorted(interfaces):
|
if identifiers:
|
||||||
rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 53 -j ACCEPT')
|
for identifier in sorted(identifiers):
|
||||||
rules.append(f'iptables_both -A INPUT -i {iface} -p udp --dport 53 -j ACCEPT')
|
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
|
||||||
|
|
||||||
|
for address in resolved['ipv4']:
|
||||||
|
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT')
|
||||||
|
rules.add(f'iptables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT')
|
||||||
|
|
||||||
|
for address in resolved['ipv6']:
|
||||||
|
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT')
|
||||||
|
rules.add(f'ip6tables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT')
|
||||||
|
|
||||||
return {
|
return {
|
||||||
'iptables': {
|
'iptables': {
|
||||||
'bundle_rules': {
|
'bundle_rules': {
|
||||||
'unbound': rules,
|
'unbound': list(sorted(rules)),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -31,8 +31,8 @@ nodes['home.downloadhelper'] = {
|
||||||
'exclude_from_backups': True,
|
'exclude_from_backups': True,
|
||||||
},
|
},
|
||||||
'netdata': {
|
'netdata': {
|
||||||
'restrict-to-interfaces': {
|
'restrict-to': {
|
||||||
'enp1s0.42',
|
'172.19.136.0/22',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'nfs-client': {
|
'nfs-client': {
|
||||||
|
|
@ -52,8 +52,8 @@ nodes['home.downloadhelper'] = {
|
||||||
'download-dir': '/mnt/nas',
|
'download-dir': '/mnt/nas',
|
||||||
'download-queue-size': 10,
|
'download-queue-size': 10,
|
||||||
},
|
},
|
||||||
'webinterface-on-interfaces': {
|
'restrict-to': {
|
||||||
'enp1s0.42',
|
'172.19.136.0/22',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -82,16 +82,14 @@ nodes['home.router'] = {
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
'netdata': {
|
'netdata': {
|
||||||
'restrict-to-interfaces': {
|
'restrict-to': {
|
||||||
'enp1s0.42',
|
'172.19.136.0/22',
|
||||||
'wg0',
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'nginx': {
|
'nginx': {
|
||||||
'use_ssl_for_all_connections': False,
|
'use_ssl_for_all_connections': False,
|
||||||
'restrict-to-interfaces': {
|
'restrict-to': {
|
||||||
'enp1s0.42',
|
'172.19.136.0/22',
|
||||||
'wg0',
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'openvpn-client': {
|
'openvpn-client': {
|
||||||
|
|
@ -115,9 +113,8 @@ nodes['home.router'] = {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'unbound': {
|
'unbound': {
|
||||||
'restrict-to-interfaces': {
|
'restrict-to': {
|
||||||
'enp1s0.23',
|
'172.19.138.0/23',
|
||||||
'enp1s0.42',
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'users': {
|
'users': {
|
||||||
|
|
|
||||||
|
|
@ -46,6 +46,9 @@ nodes['ovh.icinga2'] = {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'restrict-to': {
|
||||||
|
'172.19.138.0/24',
|
||||||
|
},
|
||||||
'sipgate_user': vault.decrypt('encrypt$gAAAAABfujAmCUnicSAllq8MskXnPodKp3cGcfA6Abvef-rAYwB2CtCwt9oBRVKFskJPVArDaF1wfjNTfLwgX3gTP7xFutJ1HA=='),
|
'sipgate_user': vault.decrypt('encrypt$gAAAAABfujAmCUnicSAllq8MskXnPodKp3cGcfA6Abvef-rAYwB2CtCwt9oBRVKFskJPVArDaF1wfjNTfLwgX3gTP7xFutJ1HA=='),
|
||||||
'sipgate_pass': vault.decrypt('encrypt$gAAAAABfui_4B7UmOosI_gsQ-xvmd3X_BUDSl-G2KF_Tg8O6RpUvk0gHexOKsrTb6se1ipXsh7RC9pbZCKMtesW0C6j24LHXDKCOjkqI77oO0ZjnG6SUwfcJqg61biNiRlXy8z-9LCGA'),
|
'sipgate_pass': vault.decrypt('encrypt$gAAAAABfui_4B7UmOosI_gsQ-xvmd3X_BUDSl-G2KF_Tg8O6RpUvk0gHexOKsrTb6se1ipXsh7RC9pbZCKMtesW0C6j24LHXDKCOjkqI77oO0ZjnG6SUwfcJqg61biNiRlXy8z-9LCGA'),
|
||||||
},
|
},
|
||||||
|
|
@ -68,12 +71,6 @@ nodes['ovh.icinga2'] = {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'iptables': {
|
|
||||||
'custom_rules': {
|
|
||||||
# icinga2 api
|
|
||||||
'iptables -A INPUT -i wg0 -p tcp --dport 5665 -j ACCEPT',
|
|
||||||
},
|
|
||||||
},
|
|
||||||
'nginx': {
|
'nginx': {
|
||||||
'vhosts': {
|
'vhosts': {
|
||||||
'icingaweb': {
|
'icingaweb': {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue