diff options
| author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2021-09-10 16:28:13 +0100 |
|---|---|---|
| committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2021-09-20 12:40:51 +0100 |
| commit | b2f63b9c4ec10f8932fb2bee9f895ea81f596fc7 (patch) | |
| tree | 5c60aa772f93ce3e36768c802eb40030cae6d8a1 /firewall.yaml | |
| parent | e609fa50c214bb87b42417cc283f70e28ecefd83 (diff) | |
| download | infrastructure-b2f63b9c4ec10f8932fb2bee9f895ea81f596fc7.tar.gz | |
Remove obsolete files
Diffstat (limited to 'firewall.yaml')
| -rw-r--r-- | firewall.yaml | 250 |
1 files changed, 0 insertions, 250 deletions
diff --git a/firewall.yaml b/firewall.yaml deleted file mode 100644 index e06b12e1..00000000 --- a/firewall.yaml +++ /dev/null @@ -1,250 +0,0 @@ -# OpenStack firewall setup for baserock.org -# -# This rather ugly and verbose Ansible script defines the firewall -# configuration for the baserock.org cloud. -# -# OpenStack security group rules are all ACCEPT rules, and an instance -# can be in multiple security groups. -# -# Note that many systems don't have a floating IP assigned and thus are -# isolated from the internet. Requests to them are proxied by the -# frontend-haproxy system. -# -# This playbook requires the 'neutron_sec_group' module, available in -# <https://github.com/openstack-ansible/openstack-ansible-modules/>. - -- hosts: localhost - gather_facts: false - tasks: - - name: default security group - os_security_group: - name: default - description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections - state: present - - - name: default security group - allow outgoing ICMP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group - allow outgoing TCP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow outgoing UDP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow incoming ICMP - os_security_group_rule: - security_group: default - direction: ingress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow incoming TCP on port 22 for SSH - os_security_group_rule: - security_group: default - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: open security group - os_security_group: - name: open - description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!! - state: present - - - name: open security group -- allow incoming TCP - os_security_group_rule: - security_group: open - direction: ingress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: open security group -- allow incoming UDP - os_security_group_rule: - security_group: open - direction: ingress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - - - name: haste-server security group - os_security_group: - name: haste-server - description: Allow incoming TCP requests for haste server - state: present - - - name: haste-server security group -- allow incoming TCP on port 7777 for Haste server - os_security_group_rule: - security_group: haste-server - direction: ingress - port_range_min: 7777 - port_range_max: 7777 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: gitlab-bot security group - os_security_group: - name: gitlab-bot - description: Allow incoming TCP requests for gitlab-bot - state: present - - - name: gitlab-bot security group -- allow incoming TCP on port 1337 for Gitlab IRC bot - os_security_group_rule: - security_group: gitlab-bot - direction: ingress - port_range_min: 1337 - port_range_max: 1337 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group - os_security_group: - name: git-server - description: Allow inbound SSH, HTTP, HTTPS and Git requests. - state: present - - - name: git-server security group -- allow incoming TCP on port 22 for Git-over-SSH - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 80 for cgit and Git-over-HTTP - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 8080 for morph-cache-server tree & SHA1 queries - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 8080 - port_range_max: 8080 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 9418 for git protocol - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 9418 - port_range_max: 9418 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: shared-artifact-cache security group - os_security_group: - name: shared-artifact-cache - description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200) - state: present - - - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # The port number here was chosen arbitrarily. - - name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 22200 - port_range_max: 22200 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: web-server security group - os_security_group: - name: web-server - description: Allow inbound HTTP and HTTPS. - state: present - - - name: web-server security group -- allow incoming TCP on port 80 for HTTP - os_security_group_rule: - security_group: web-server - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: web-server security group -- allow incoming TCP on port 443 for HTTPS - os_security_group_rule: - security_group: web-server - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 |