diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index 2173ca0318..24a5be59d2 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -18,6 +18,10 @@ csi_security_category: High # custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT'] # +# This host is externally reachable +# +external: true +# # Set this to get fasclient cron to make the aliases file # fas_aliases: true diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave index 5a202dd46c..571901794d 100644 --- a/inventory/group_vars/batcave +++ b/inventory/group_vars/batcave @@ -20,6 +20,10 @@ csi_relationship: | csi_security_category: High # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +# +# This host is externally reachable +# +external: true fedmsg_certs: - can_send: - ansible.playbook.complete diff --git a/inventory/group_vars/download_iad2 b/inventory/group_vars/download_iad2 index 71117506e7..bb5683e4db 100644 --- a/inventory/group_vars/download_iad2 +++ b/inventory/group_vars/download_iad2 @@ -2,6 +2,10 @@ blocked_ips: [] datacenter: iad2 dns: 10.3.163.33 +# +# This host is externally reachable +# +external: true host_group: download-iad2 # nfs mount options, overrides the all/default nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=4" diff --git a/inventory/group_vars/iad2 b/inventory/group_vars/iad2 new file mode 100644 index 0000000000..7b38ac470e --- /dev/null +++ b/inventory/group_vars/iad2 @@ -0,0 +1,4 @@ +--- +# boolean to determine if a host is publically reachable via nat in iad2 +# by default, hosts are not, only specific hosts/groups are. +external: False diff --git a/inventory/group_vars/pkgs b/inventory/group_vars/pkgs index c0e4895e55..06119d933a 100644 --- a/inventory/group_vars/pkgs +++ b/inventory/group_vars/pkgs @@ -20,6 +20,10 @@ clamscan_paths: - /srv/cache/lookaside/pkgs # We have both celery (pagure_worker) and web thread wanting to send out fedmsg's. # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg. +# +# This host is externally reachable +# +external: true fedmsg_active: True # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/pkgs_stg b/inventory/group_vars/pkgs_stg index 3c8345f60a..cb6f046ce4 100644 --- a/inventory/group_vars/pkgs_stg +++ b/inventory/group_vars/pkgs_stg @@ -16,6 +16,10 @@ clamscan_paths: - /srv/cache/lookaside/pkgs # We have both celery (pagure_worker) and web thread wanting to send out fedmsg's. # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg. +# +# This host is externally reachable +# +external: true fedmsg_active: True # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/host_vars/ns01.iad2.fedoraproject.org b/inventory/host_vars/ns01.iad2.fedoraproject.org index c96802b562..c0cf34bf96 100644 --- a/inventory/host_vars/ns01.iad2.fedoraproject.org +++ b/inventory/host_vars/ns01.iad2.fedoraproject.org @@ -2,6 +2,10 @@ datacenter: iad2 eth0_ipv4_gw: 10.3.163.254 eth0_ipv4_ip: 10.3.163.33 +# +# This host is externally reachable +# +external: true ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/ ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel vmhost: vmhost-x86-01.iad2.fedoraproject.org diff --git a/inventory/host_vars/ns02.iad2.fedoraproject.org b/inventory/host_vars/ns02.iad2.fedoraproject.org index 8289a3574d..a63fd6a69a 100644 --- a/inventory/host_vars/ns02.iad2.fedoraproject.org +++ b/inventory/host_vars/ns02.iad2.fedoraproject.org @@ -2,6 +2,10 @@ datacenter: iad2 eth0_ipv4_gw: 10.3.163.254 eth0_ipv4_ip: 10.3.163.34 +# +# This host is externally reachable +# +external: true ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/ ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel vmhost: vmhost-x86-02.iad2.fedoraproject.org diff --git a/inventory/host_vars/proxy01.iad2.fedoraproject.org b/inventory/host_vars/proxy01.iad2.fedoraproject.org index eee1e27ae5..88c6efc847 100644 --- a/inventory/host_vars/proxy01.iad2.fedoraproject.org +++ b/inventory/host_vars/proxy01.iad2.fedoraproject.org @@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org" dns_search3: "fedoraproject.org" eth0_ipv4: 10.3.163.74 eth0_ipv4_gw: 10.3.163.254 +# +# This host is externally reachable +# +external: true freezes: true has_ipv4: yes ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/ diff --git a/inventory/host_vars/proxy10.iad2.fedoraproject.org b/inventory/host_vars/proxy10.iad2.fedoraproject.org index 103ffec614..d40d846422 100644 --- a/inventory/host_vars/proxy10.iad2.fedoraproject.org +++ b/inventory/host_vars/proxy10.iad2.fedoraproject.org @@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org" dns_search3: "fedoraproject.org" eth0_ipv4: 10.3.163.75 eth0_ipv4_gw: 10.3.163.254 +# +# This host is externally reachable +# +external: true freezes: true has_ipv4: yes ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/ diff --git a/inventory/host_vars/secondary01.iad2.fedoraproject.org b/inventory/host_vars/secondary01.iad2.fedoraproject.org index c6927d2207..9158614d19 100644 --- a/inventory/host_vars/secondary01.iad2.fedoraproject.org +++ b/inventory/host_vars/secondary01.iad2.fedoraproject.org @@ -2,6 +2,10 @@ datacenter: iad2 eth0_ipv4_gw: 10.3.163.254 eth0_ipv4_ip: 10.3.163.86 +# +# This host is externally reachable +# +external: true ks_repo: http://10.3.163.35/repo/rhel/RHEL8-x86_64/ ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-8-iad2 lvm_size: 40000 diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index ea4ed806db..35f8eb9694 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -152,9 +152,41 @@ command: /usr/sbin/ipset create osbuildapi hash:ip ignore_errors: true changed_when: false - when: inventory_hostname.startswith('build') + when: "'osbuild' in group_names" + tags: + - base + - iptables + +- name: install blocklist update script + copy: + src: "{{ private }}/files/blocklist/blocklist-update.sh" + dest: /usr/local/bin/blocklist-update.sh + owner: root + group: root + mode: "0700" + tags: + - base + - iptables + when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')" + +- name: setup blocklist ipset if this is a new install + command: /usr/sbin/ipset create blocklist hash:ip + ignore_errors: true + changed_when: false + when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')" + tags: + - base + - iptables + +- name: setup blocklist update cron job + cron: + name: blocklist-update + user: root + minute: 15 + hour: "*/2" + job: /usr/local/bin/blocklist-update.sh + when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')" tags: - - packages - base - iptables diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index 057e368bdb..41124f732d 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -14,11 +14,9 @@ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -# if the blocked_ips is defined - drop them -{% if blocked_ips is defined %} -{% for ip in blocked_ips %} --A INPUT -s {{ ip }} -j DROP -{% endfor %} +# if the host is external, block some ips +{% if datacenter != 'iad2' or ( datacenter == 'iad2' and hostvars[inventory_hostname].external == 'true' ) %} +-A INPUT -p any -m set --match-set blocklist src -j REJECT {% endif %} # allow ssh - always