diff options
Diffstat (limited to 'firewall.yaml')
-rw-r--r-- | firewall.yaml | 35 |
1 files changed, 7 insertions, 28 deletions
diff --git a/firewall.yaml b/firewall.yaml index 800e7390..c468755b 100644 --- a/firewall.yaml +++ b/firewall.yaml @@ -235,10 +235,10 @@ - name: shared-artifact-cache security group os_security_group: name: shared-artifact-cache - description: Allow inbound HTTP, HTTPS and read-only Morph artifact cache access. Allow writable Morph artifact cache access from internal IPs. + description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200) state: present - - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for cache server web frontend + - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP os_security_group_rule: security_group: shared-artifact-cache direction: ingress @@ -248,7 +248,7 @@ protocol: tcp remote_ip_prefix: 0.0.0.0/0 - - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for cache server web frontend + - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP os_security_group_rule: security_group: shared-artifact-cache direction: ingress @@ -258,38 +258,17 @@ protocol: tcp remote_ip_prefix: 0.0.0.0/0 - - name: shared-artifact-cache security group -- allow incoming TCP on port 8080 for cache server read access + # The port number here was chosen arbitrarily. + - name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH os_security_group_rule: security_group: shared-artifact-cache direction: ingress - port_range_min: 8080 - port_range_max: 8080 + port_range_min: 22200 + port_range_max: 22200 ethertype: IPv4 protocol: tcp remote_ip_prefix: 0.0.0.0/0 - # 8081: 'writable cache server' port. Anyone who can connect - # to this port can delete or overwrite cached artifacts. - # - # FIXME: because the Masons use cache.baserock.org instead of - # 192.168.0.16 to access the shared artifact cache, we need to - # permit traffic from our public IP range. This provides a - # theoritical attack vector from other tenancies, so we should - # fix the Masons and remove this rule. - - name: shared-artifact-cache security group -- allow incoming internal-only TCP on port 8081 for cache server write access - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 8081 - port_range_max: 8081 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 185.43.218.0/0 - # It'd be nice to limit access by security group, but it doesn't - # seem to actually work. Perhaps because we use external IP to - # access instead of internal IP. - #remote_group_id: "{{ default_group.sec_group.id }}" - - name: web-server security group os_security_group: name: web-server |