# OpenStack firewall setup for baserock.org
#
# This rather ugly and verbose Ansible script defines the firewall
# configuration for the baserock.org cloud.
#
# OpenStack security group rules are all ACCEPT rules, and an instance
# can be in multiple security groups.
#
# Note that many systems don't have a floating IP assigned and thus are
# isolated from the internet. Requests to them are proxied by the
# frontend-haproxy system.
#
# This playbook requires the 'neutron_sec_group' module, available in
# <https://github.com/openstack-ansible/openstack-ansible-modules/>.

- hosts: localhost
  gather_facts: false
  tasks:
    - name: default security group
      os_security_group:
        name: default
        description: Allow all outgoing traffic, and allow incoming ICMP (ping) and SSH connections
        state: present

    - name: default security group - allow outgoing ICMP
      os_security_group_rule:
        security_group: default
        direction: egress
        port_range_min: 0
        port_range_max: 255
        ethertype: IPv4
        protocol: icmp
        remote_ip_prefix: 0.0.0.0/0

    - name: default security group - allow outgoing TCP
      os_security_group_rule:
        security_group: default
        direction: egress
        port_range_min: 1
        port_range_max: 65535
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: default security group -- allow outgoing UDP
      os_security_group_rule:
        security_group: default
        direction: egress
        port_range_min: 1
        port_range_max: 65535
        ethertype: IPv4
        protocol: udp
        remote_ip_prefix: 0.0.0.0/0

    - name: default security group -- allow incoming ICMP
      os_security_group_rule:
        security_group: default
        direction: ingress
        port_range_min: 0
        port_range_max: 255
        ethertype: IPv4
        protocol: icmp
        remote_ip_prefix: 0.0.0.0/0

    - name: default security group -- allow incoming TCP on port 22 for SSH
      os_security_group_rule:
        security_group: default
        direction: ingress
        port_range_min: 22
        port_range_max: 22
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: open security group
      os_security_group:
        name: open
        description: Allow inbound traffic on all ports. DO NOT USE EXCEPT FOR TESTING!!!
        state: present

    - name: open security group -- allow incoming TCP
      os_security_group_rule:
        security_group: open
        direction: ingress
        port_range_min: 1
        port_range_max: 65535
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: open security group -- allow incoming UDP
      os_security_group_rule:
        security_group: open
        direction: ingress
        port_range_min: 1
        port_range_max: 65535
        ethertype: IPv4
        protocol: udp
        remote_ip_prefix: 0.0.0.0/0

    - name: haste-server security group
      os_security_group:
        name: haste-server
        description: Allow incoming TCP requests for haste server
        state: present

    - name: haste-server security group -- allow incoming TCP on port 7777 for Haste server
      os_security_group_rule:
        security_group: haste-server
        direction: ingress
        port_range_min: 7777
        port_range_max: 7777
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: gitlab-bot security group
      os_security_group:
        name: gitlab-bot
        description: Allow incoming TCP requests for gitlab-bot
        state: present

    - name: gitlab-bot security group -- allow incoming TCP on port 1337 for Gitlab IRC bot
      os_security_group_rule:
        security_group: gitlab-bot
        direction: ingress
        port_range_min: 1337
        port_range_max: 1337
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group
      os_security_group:
        name: git-server
        description: Allow inbound SSH, HTTP, HTTPS and Git requests.
        state: present

    - name: git-server security group -- allow incoming TCP on port 22 for Git-over-SSH
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 22
        port_range_max: 22
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group -- allow incoming TCP on port 80 for cgit and Git-over-HTTP
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 80
        port_range_max: 80
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group -- allow incoming TCP on port 443 for cgit and Git-over-HTTPS
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 443
        port_range_max: 443
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group -- allow incoming TCP on port 8080 for morph-cache-server tree & SHA1 queries
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 8080
        port_range_max: 8080
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: git-server security group -- allow incoming TCP on port 9418 for git protocol
      os_security_group_rule:
        security_group: git-server
        direction: ingress
        port_range_min: 9418
        port_range_max: 9418
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: shared-artifact-cache security group
      os_security_group:
        name: shared-artifact-cache
        description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200)
        state: present

    - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP
      os_security_group_rule:
        security_group: shared-artifact-cache
        direction: ingress
        port_range_min: 80
        port_range_max: 80
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP
      os_security_group_rule:
        security_group: shared-artifact-cache
        direction: ingress
        port_range_min: 443
        port_range_max: 443
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    # The port number here was chosen arbitrarily.
    - name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH
      os_security_group_rule:
        security_group: shared-artifact-cache
        direction: ingress
        port_range_min: 22200
        port_range_max: 22200
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: web-server security group
      os_security_group:
        name: web-server
        description: Allow inbound HTTP and HTTPS.
        state: present

    - name: web-server security group -- allow incoming TCP on port 80 for HTTP
      os_security_group_rule:
        security_group: web-server
        direction: ingress
        port_range_min: 80
        port_range_max: 80
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0

    - name: web-server security group -- allow incoming TCP on port 443 for HTTPS
      os_security_group_rule:
        security_group: web-server
        direction: ingress
        port_range_min: 443
        port_range_max: 443
        ethertype: IPv4
        protocol: tcp
        remote_ip_prefix: 0.0.0.0/0