From b2f63b9c4ec10f8932fb2bee9f895ea81f596fc7 Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Fri, 10 Sep 2021 16:28:13 +0100 Subject: Remove obsolete files --- firewall.yaml | 250 ---------------------------------------------------------- 1 file changed, 250 deletions(-) delete mode 100644 firewall.yaml (limited to 'firewall.yaml') diff --git a/firewall.yaml b/firewall.yaml deleted file mode 100644 index e06b12e1..00000000 --- a/firewall.yaml +++ /dev/null @@ -1,250 +0,0 @@ -# OpenStack firewall setup for baserock.org -# -# This rather ugly and verbose Ansible script defines the firewall -# configuration for the baserock.org cloud. -# -# OpenStack security group rules are all ACCEPT rules, and an instance -# can be in multiple security groups. -# -# Note that many systems don't have a floating IP assigned and thus are -# isolated from the internet. Requests to them are proxied by the -# frontend-haproxy system. -# -# This playbook requires the 'neutron_sec_group' module, available in -# . - -- hosts: localhost - gather_facts: false - tasks: - - name: default security group - os_security_group: - name: default - description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections - state: present - - - name: default security group - allow outgoing ICMP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group - allow outgoing TCP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow outgoing UDP - os_security_group_rule: - security_group: default - direction: egress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow incoming ICMP - os_security_group_rule: - security_group: default - direction: ingress - port_range_min: 0 - port_range_max: 255 - ethertype: IPv4 - protocol: icmp - remote_ip_prefix: 0.0.0.0/0 - - - name: default security group -- allow incoming TCP on port 22 for SSH - os_security_group_rule: - security_group: default - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: open security group - os_security_group: - name: open - description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!! - state: present - - - name: open security group -- allow incoming TCP - os_security_group_rule: - security_group: open - direction: ingress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: open security group -- allow incoming UDP - os_security_group_rule: - security_group: open - direction: ingress - port_range_min: 1 - port_range_max: 65535 - ethertype: IPv4 - protocol: udp - remote_ip_prefix: 0.0.0.0/0 - - - name: haste-server security group - os_security_group: - name: haste-server - description: Allow incoming TCP requests for haste server - state: present - - - name: haste-server security group -- allow incoming TCP on port 7777 for Haste server - os_security_group_rule: - security_group: haste-server - direction: ingress - port_range_min: 7777 - port_range_max: 7777 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: gitlab-bot security group - os_security_group: - name: gitlab-bot - description: Allow incoming TCP requests for gitlab-bot - state: present - - - name: gitlab-bot security group -- allow incoming TCP on port 1337 for Gitlab IRC bot - os_security_group_rule: - security_group: gitlab-bot - direction: ingress - port_range_min: 1337 - port_range_max: 1337 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group - os_security_group: - name: git-server - description: Allow inbound SSH, HTTP, HTTPS and Git requests. - state: present - - - name: git-server security group -- allow incoming TCP on port 22 for Git-over-SSH - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 22 - port_range_max: 22 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 80 for cgit and Git-over-HTTP - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 8080 for morph-cache-server tree & SHA1 queries - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 8080 - port_range_max: 8080 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: git-server security group -- allow incoming TCP on port 9418 for git protocol - os_security_group_rule: - security_group: git-server - direction: ingress - port_range_min: 9418 - port_range_max: 9418 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: shared-artifact-cache security group - os_security_group: - name: shared-artifact-cache - description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200) - state: present - - - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - # The port number here was chosen arbitrarily. - - name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 22200 - port_range_max: 22200 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: web-server security group - os_security_group: - name: web-server - description: Allow inbound HTTP and HTTPS. - state: present - - - name: web-server security group -- allow incoming TCP on port 80 for HTTP - os_security_group_rule: - security_group: web-server - direction: ingress - port_range_min: 80 - port_range_max: 80 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 - - - name: web-server security group -- allow incoming TCP on port 443 for HTTPS - os_security_group_rule: - security_group: web-server - direction: ingress - port_range_min: 443 - port_range_max: 443 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 0.0.0.0/0 -- cgit v1.2.1