From 1a848bf3c87dffd6445f90a31cde48ba029f8f6d Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Fri, 10 Sep 2021 16:28:13 +0100 Subject: Remove obsolete files --- baserock-ops-team.cloud-config | 16 --- firewall.yaml | 250 ----------------------------------------- 2 files changed, 266 deletions(-) delete mode 100644 baserock-ops-team.cloud-config delete mode 100644 firewall.yaml diff --git a/baserock-ops-team.cloud-config b/baserock-ops-team.cloud-config deleted file mode 100644 index 275deeae..00000000 --- a/baserock-ops-team.cloud-config +++ /dev/null @@ -1,16 +0,0 @@ -#cloud-config - -# The contents of this cloud-config script should be included in the -# post-creation 'customisation script' for every instance in the public -# baserock.org infrastructure. It gives access to all members the Baserock Ops -# team, so that any member of the team can deploy security updates. - -ssh_authorized_keys: - # Pedro Alvarez - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPuirtOH8D/6iNAb3DE079FcTmDlDgusVBJ2FC0O/FHSxwAgNwHhUbCxHAcO/N+HICSvDmjp16Ki0ti2ZxfworG88shPiMOGQfuJaRv1X15AV7NsO80Llsqy/x8X+WdA5iwpUyKM011vv/pS/DhSCHJFJ/vQFgox12HQSKZuzGIOupCiZfHES5t5oEPAcoQYCC0hO4ZevyeO0ZixrOGf/iyXHyb2BoQJAehixt28YOfdaW7Z29SssCGf7QvtADYg+vF5Tazln51vp1M+fo1oF0aa/VLN3gYuf+BI6x6sEc4N/ZQaCR5+oBP3/gIVlIwOOftzC9G+l6PBOS4368nZTv pedro.alvarez@codethink.co.uk - - # Gary Perkins - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQvRqmYpSVpff0MJq9aigjNQX22PdMkDiXpcV7EbDWdE3QLk7D818dljMKy2SvmgiEO7e/5jn8K7b9Dr88GF4dM/Oxc2k2yP9fzMoW+cE/drHBH+zDb9Zw1xa+t1AcMtl0XAEZft/hvpgx+Tp2XaEv6t7O9Ogxw1ahKtbkgDprhrnC9cVctu3VJhu8amY4BYZC9hRZUa02pCQl1i0klYq7E61zF8I25hS6HP0fbD/O+hAt5N3VqmkN+4QmCP8kkXSmyjKOurnXcGKPWonpOyB3cwVk3DO7krsw2qIIVoe/9PIK112oHNJxM01UUF+ZiPGEWawQfHRNG8Y03KQJanaf gary@garyp - - # Sam Thursfield - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkDPLAg9ueRzIVdPbfsGboXbnd7HIwQ9oiFh1JP8NvyZ0ZWejmY7m5k6FOTDBp70Rwx1/6+rzLyCsbT5SN+rK0Ywl145A09jODRt2PWZ3ddsUDfXTY7Ycu3MLOsyjIiY5o9zhSmu+/pU90TlvlE16TFUPnyc4PDqI1DALCUf7OxDVihcecn4Fhd0XQI8FBM/c47CjvyD2g+xr2b5Qa7eCfBEFTCqpQegDOQN3Hlq1t1VLLXv+srcQkI+uh4wseJ3GcQ4T/+6w6axlGd6a2v8IjKALxveCKyI5bHirKTMJZg+BCulb+ucoafbRbLcNpmrEVfhUE5O4/ffBExaEiwni1 sam.thursfield@codethink.co.uk diff --git a/firewall.yaml b/firewall.yaml deleted file mode 100644 index e06b12e1..00000000 --- a/firewall.yaml +++ /dev/null @@ -1,250 +0,0 @@ -# OpenStack firewall setup for baserock.org -# -# This rather ugly and verbose Ansible script defines the firewall -# configuration for the baserock.org cloud. -# -# OpenStack security group rules are all ACCEPT rules, and an instance -# can be in multiple security groups. -# -# Note that many systems don't have a floating IP assigned and thus are -# isolated from the internet. Requests to them are proxied by the -# frontend-haproxy system. -# -# This playbook requires the 'neutron_sec_group' module, available in -# . - -- hosts: localhost - gather_facts: false - tasks: - - name: default security group - os_security_group: - name: default - description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections - state: present - - - name: default security group - allow outgoing ICMP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group - allow outgoing TCP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow outgoing UDP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow incoming ICMP - os_security_group_rule: - security_group: default - direction: ingress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow incoming TCP on port 22 for SSH - os_security_group_rule: - security_group: default - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: open security group - os_security_group: - name: open - description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!! - state: present - - - name: open security group -- allow incoming TCP - os_security_group_rule: - security_group: open - direction: ingress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: open security group -- allow incoming UDP - os_security_group_rule: - security_group: open - direction: ingress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - - - name: haste-server security group - os_security_group: - name: haste-server - description: Allow incoming TCP requests for haste server - state: present - - - name: haste-server security group -- allow incoming TCP on port 7777 for Haste server - os_security_group_rule: - security_group: haste-server - direction: ingress - port_range_min: 7777 - port_range_max: 7777 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: gitlab-bot security group - os_security_group: - name: gitlab-bot - description: Allow incoming TCP requests for gitlab-bot - state: present - - - name: gitlab-bot security group -- allow incoming TCP on port 1337 for Gitlab IRC bot - os_security_group_rule: - security_group: gitlab-bot - direction: ingress - port_range_min: 1337 - port_range_max: 1337 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group - os_security_group: - name: git-server - description: Allow inbound SSH, HTTP, HTTPS and Git requests. - state: present - - - name: git-server security group -- allow incoming TCP on port 22 for Git-over-SSH - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 80 for cgit and Git-over-HTTP - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 8080 for morph-cache-server tree & SHA1 queries - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 8080 - port_range_max: 8080 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 9418 for git protocol - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 9418 - port_range_max: 9418 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: shared-artifact-cache security group - os_security_group: - name: shared-artifact-cache - description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200) - state: present - - - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # The port number here was chosen arbitrarily. - - name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 22200 - port_range_max: 22200 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: web-server security group - os_security_group: - name: web-server - description: Allow inbound HTTP and HTTPS. - state: present - - - name: web-server security group -- allow incoming TCP on port 80 for HTTP - os_security_group_rule: - security_group: web-server - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: web-server security group -- allow incoming TCP on port 443 for HTTPS - os_security_group_rule: - security_group: web-server - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 -- cgit v1.2.1