Move base to a role.

Clean up syntax in all the base tasks.
Add CONVENTIONS file for info on where things go.
Tweak readme.
Switch add playbooks to base role instead of task.

CONVENTIONS

@@ -0,0 +1,112 @@
+This file describes some conventions we are going to try and use
+to keep things organized and everyone on the same page. 
+
+If you find you need to diverge from this document for something, 
+please discuss it on the infrastructure list and see if we can 
+adjust this document for that use case. 
+
+Playbook naming
+===============
+The top level playbooks directory should contain: 
+
+* Playbooks that are generic and used by serveral groups/hosts playbooks
+* Playbooks used for utility purposes from command line
+* Groups and Hosts subdirs. 
+
+Generic playbooks are included in other playbooks and perform 
+basic setup that is used by other groups/hosts. 
+Examples: cloud setup, collectd, webserver, iptables, etc
+
+Utility playbooks are used by sysadmins command line to perform some 
+specific function. Examples: host update, vhost update, vhost reboot. 
+
+The playbooks/groups/ directory should contain one playbook per 
+group. This should be used in the case of multiple machines/instances
+in a group. MUST include a hosts entry that describes the hosts in the group.
+Examples: packages, proxy, unbound, virthost, etc.
+Try and be descriptive with the name here. 
+
+The playbooks/hosts/ directory should contain one playbook per 'host'
+for when a role is handled by only one host. Hosts playbooks
+MUST be FQDN.yml, MUST contain Hosts: the host or ip. 
+Examples: persistent cloud images, special hosts. 
+
+Where possible groups should be used. Hosts playbooks should only 
+be used in specific cases where a generic group playbook would not work. 
+
+Both groups and hosts playbooks should always include:  
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - ${private}/vars.yml
+   - ${vars}/${ansible_distribution}.yml
+
+Play naming
+===========
+Plays in playbooks should be a short readable description of what the play
+is doing. This will be displayed to the user and/or mailed out, so think 
+about what you would like to see if the play you are writing failed that 
+would be descriptive to the reader to help fix it. 
+
+Inventory
+=========
+The inventory file should add all hosts to one (or more) groups. 
+
+When there are staging hosts for a role/service, they should be in the 
+main group for that role as well as a staging for the role. 
+FIXME: will depend on how we do staging. (see below)
+
+Tags
+====
+Tags allow you to run just a subset of plays with a specific tag(s). 
+
+We have some standard tags we should use on all plays: 
+
+packages - this play installs or removes packages. 
+
+config - this play installs config files. 
+
+check - we could use this tag to include 'is everything running that should be' 
+        type tasks. 
+
+FIXME: others?
+
+Production vs Staging vs Development
+====================================
+In the default state, we should strive to have production and staging using 
+the same exact playbooks. development can also do so, or just be a more 
+minimal free form for the developer. 
+
+When needing to make changes to test in staging the following process should
+be used: 
+
+FIXME... :) 
+
+Requirements: 
+
+1. shouldn't touch prod playbook by default
+2. should be easy to merge changes back to prod
+3. should not require people to remember to do a bunch of steps. 
+4. should be easy to see exactly what changes are pending only in stg. 
+
+Cron job/automatic execution
+============================
+
+We would like to get ansible running over hosts in an automated way. 
+A git hook could do this. 
+
+* On commit:
+	If we have a way to detemine exactly what hosts are affected by a 
+        change we could simply run only on those hosts. 
+
+        We might want a short delay (10m) to allow someone to see a problem
+        or others to note one from the commit. 
+
+* Once a day: (more often? less often?) 
+
+        We may want to re-run on all hosts once a day and yell loudly 
+        if anything changed. 
+
+        FIXME: perhaps we want a tag of items to run at this time? 
+        FIXME: alternately we could have a util playbook that runs a 
+               bunch of checks for us? 
+

README

@@ -1,9 +1,15 @@
-ansible repository/structure
+== ansible repository/structure ==
 
 files - files and templates for use in playbooks/tasks
       - subdirs for specific tasks/dirs highly recommended
 
 inventory - where the inventory and additional vars is stored
+          - All files in this directory in ini format 
+          - added together for total inventory
+  group_vars: 
+          - per group variables set here in a file per group 
+  host_vars: 
+          - per host variables set here in a file per host 
 
 library - library of custom local ansible modules
 
@@ -11,6 +17,10 @@ playbooks - collections of plays we want to run on systems
 
 tasks - snippets of tasks that should be included in plays
 
+roles - specific roles to be use in playbooks. 
+        Each role has it's own files/templates/vars
+
+== Paths ==
 
 public path for everything is:
 
@@ -20,12 +30,11 @@ private path - which is sysadmin-main accessible only is:
 
  /srv/private/ansible
 
-
 In general to run any ansible playbook you will want to run:
 
 sudo -i ansible-playbook /path/to/playbook.yml
 
-
+== Cloud information ==
 
 cloud instances:
 to startup a new cloud instance and configure for basic server use run (as
@@ -61,9 +70,6 @@ define these with:
 
 --extra-vars="varname=value varname1=value varname2=value"
 
-
-
-
 Name        Memory_MB  Disk   VCPUs
 m1.tiny     512        0      1    
 m1.small    2048       20     1    
@@ -171,10 +177,6 @@ The available images can be found by running::
 You should be able to run that playbook over and over again safely, it will
 only setup/create a new instance if the ip is not up/responding.
 
-
-
-
-
 SECURITY GROUPS
 - to edit security groups you must either have your own cloud account or
   be a member of sysadmin-main

playbooks/groups/arm-packager.yml

@@ -12,6 +12,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/fas_client
@@ -20,7 +21,6 @@
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/arm-qa.yml

@@ -12,6 +12,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/fas_client
@@ -20,7 +21,6 @@
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/arm-releng.yml

@@ -12,6 +12,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/fas_client
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
@@ -20,7 +21,6 @@
   tasks:
   # this is how you include other task lists
   - include: $tasks/hosts.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/common_scripts.yml

playbooks/groups/backup-server.yml

@@ -14,6 +14,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -22,7 +23,6 @@
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/badges-backend.yml

@@ -30,6 +30,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -38,7 +39,6 @@
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/badges-web.yml

@@ -30,6 +30,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -39,7 +40,6 @@
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/beaker.yml

@@ -29,6 +29,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -38,7 +39,6 @@
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml

playbooks/groups/gallery.yml

@@ -30,6 +30,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -38,7 +39,6 @@
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/kernel-qa.yml

@@ -13,6 +13,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -22,7 +23,6 @@
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/keyserver.yml

@@ -30,6 +30,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -38,7 +39,6 @@
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/openvpn_client.yml
   - include: $tasks/motd.yml

playbooks/groups/koji-hub.yml

@@ -31,6 +31,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -39,7 +40,6 @@
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/mailman.yml

@@ -29,6 +29,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -39,7 +40,6 @@
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml

playbooks/groups/mirrorlist.yml

@@ -39,6 +39,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -50,7 +51,6 @@
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/openvpn_client.yml

playbooks/groups/postgresl-server.yml

@@ -31,6 +31,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -40,7 +41,6 @@
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

playbooks/groups/sign.yml

@@ -16,14 +16,14 @@
    - ${private}/vars.yml
    - ${vars}/${ansible_distribution}.yml
 
+  roles:
+  - /srv/web/infra/ansible/roles/base
+  - /srv/web/infra/ansible/roles/rkhunter
+
   tasks:
-  - include: $tasks/base.yml
   - include: $tasks/serialgetty.yml
   - include: $tasks/motd.yml
   - include: $tasks/sign_setup.yml
 
-  roles:
-  - /srv/web/infra/ansible/roles/rkhunter
-
   handlers:
   - include: $handlers/restart_services.yml

playbooks/groups/taskbot.yml

@@ -29,6 +29,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -38,7 +39,6 @@
   # this is how you include other task lists
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/collectd/client.yml
   - include: $tasks/motd.yml

playbooks/groups/virthost.yml

@@ -13,6 +13,7 @@
    - ${vars}/${ansible_distribution}.yml
 
   roles:
+  - /srv/web/infra/ansible/roles/base
   - /srv/web/infra/ansible/roles/rkhunter
   - /srv/web/infra/ansible/roles/denyhosts
   - /srv/web/infra/ansible/roles/nagios_client
@@ -21,7 +22,6 @@
   tasks:
   - include: $tasks/hosts.yml
   - include: $tasks/yumrepos.yml
-  - include: $tasks/base.yml
   - include: $tasks/2fa_client.yml
   - include: $tasks/motd.yml
   - include: $tasks/sudo.yml

roles/base/README

@@ -0,0 +1,4 @@
+This role is the base setup for all our machines. 
+
+If there's something that shouldn't be run on every single 
+machine, it should be in another role. 

roles/base/tasks/main.yml

@@ -0,0 +1,138 @@
+---
+
+#
+# This is the base role for all machines. 
+# Things in here are things we want to do to every machine no matter what. 
+#
+
+- name: sshd_config 
+  copy: src={{ item }} dest=/etc/ssh/sshd_config mode=600
+  first_available_file:
+    - ${sshd_config}
+    - ssh/sshd_config.{{ ansible_fqdn }}
+    - ssh/sshd_config.{{ host_group }}
+    - ssh/sshd_config.{{ dist_tag }}
+    - ssh/sshd_config.{{ ansible_distribution }}
+    - ssh/sshd_config.{{ ansible_distribution_version }}
+  notify:
+  - restart sshd
+  tags:
+  - sshd_config
+  - config
+  - sshd
+
+- name: set root passwd
+  user: name=root password={{ rootpw }} state=present
+  tags:
+  - rootpw
+
+- name: add ansible root key 
+  authorized_key: user=root key="{{ item }}"
+  with_file:
+  - ansible-pub-key
+  tags:
+  - config
+
+- name: make sure our resolv.conf is the one being used - set RESOLV_MODS=no in /etc/sysconfig/network
+  lineinfile: dest=/etc/sysconfig/network create=yes backup=yes state=present line='RESOLV_MODS=no' regexp=^RESOLV_MODS=
+  tags:
+  - config
+  
+- name: global default packages to install
+  yum: state=installed name={{ item }}
+  with_items: global_pkgs_inst
+  tags:
+  - packages
+
+- name: dist pkgs to remove
+  yum: state=removed name={{ item }}
+  with_items: base_pkgs_erase
+  tags:
+  - packages
+
+- name: dist pkgs to install
+  yum: state=installed name={{ item }}
+  with_items: base_pkgs_inst
+  tags:
+  - packages
+
+- name: dist disabled services
+  service: state=stopped enabled=false name={{ item }}
+  with_items: service_disabled
+  tags:
+  - service
+  - config
+
+- name: dist enabled services
+  service: state=running enabled=true name={{ item }}
+  with_items: service_enabled
+  tags:
+  - service
+  - config
+
+- name: iptables
+  template: src={{ item }} dest=/etc/sysconfig/iptables mode=600 backup=yes
+  first_available_file:
+    - $iptables
+    - iptables/iptables.{{ ansible_fqdn }}
+    - iptables/iptables.{{ host_group }}
+    - iptables/iptables.{{ env }}
+    - iptables/iptables
+  notify:
+  - restart iptables
+  tags:
+  - iptables
+  - config
+
+# XXX fixme # a datacenter 'fact' from setup
+- name: /etc/resolv.conf
+  copy: src={{ item }} dest=/etc/resolv.conf
+  first_available_file:
+  - ${resolvconf}
+  - resolv.conf/{{ ansible_fqdn }}
+  - resolv.conf/{{ host_group }}
+  - resolv.conf/{{ datacenter }}
+  - resolv.conf/resolv.conf
+  tags:
+  - config
+  - resolvconf
+
+- name: rsyslog.conf
+  copy: src={{ item }} dest=/etc/rsyslog.conf mode=644
+  first_available_file:
+    - $rsyslogconf
+    - rsyslog/rsyslog.conf.{{ ansible_fqdn }}
+    - rsyslog/rsyslog.conf.{{ host_group }}
+    - rsyslog/rsyslog.conf.{{ datacenter }}
+    - rsyslog/rsyslog.conf
+
+  notify:
+  - restart rsyslog
+  tags:
+  - rsyslogd
+  - config
+
+- name: /etc/postfix/main.cf
+  copy: src={{ item }} dest=/etc/postfix/main.cf
+  first_available_file:
+    - $postfix_maincf
+    - postfix/main.cf.{{ ansible_fqdn }}
+    - postfix/main.cf.{{ host_group }}
+    - postfix/main.cf.{{ postfix_group }}
+    - postfix/main.cf
+  notify:
+  - restart postfix
+  tags:
+  - postfix
+  - config
+
+#
+# This task installs some common scripts to /usr/local/bin
+# scripts are under roles/base/files/common-scripts
+#
+
+- name: Install common scripts
+  copy: src=$item dest=/usr/local/bin/ owner=root group=root mode=0755
+  with_fileglob: common-scripts/*
+  tags:
+  - config

roles/base/templates/iptables/iptables

@@ -0,0 +1,52 @@
+# {{ ansible_managed }}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for fireball mode - allow port 5099 from lockbox and it's ips
+-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
+
+
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if there are custom rules - put them in as-is
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT

roles/base/templates/iptables/iptables.sign

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -p icmp -j ACCEPT 
+-A INPUT -i lo -j ACCEPT 
+# Allow connections from client/server
+-A INPUT -p tcp -m tcp --dport 44333:44334 -j ACCEPT 
+-A INPUT -j REJECT --reject-with icmp-host-prohibited 
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
+COMMIT
+

roles/base/templates/iptables/iptables.staging

@@ -0,0 +1,64 @@
+# {{ ansible_managed }}
+*nat
+:PREROUTING ACCEPT []
+:POSTROUTING ACCEPT []
+:OUTPUT ACCEPT []
+
+# Redirect staging attempts to talk to the external proxy to an internal ip.
+# This is primarily for openid in staging which needs to get around proxy
+# redirects.
+-A OUTPUT -d 209.132.181.14 -j DNAT --to-destination 10.5.126.89
+
+COMMIT
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for fireball mode - allow port 5099 from lockbox and it's ips
+-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
+
+
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if there are custom rules - put them in as-is
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT

tasks/base.yml

@@ -1,134 +0,0 @@
----
-
-- name: sshd_config 
-  copy: src={{ item }} dest=/etc/ssh/sshd_config mode=600
-  first_available_file:
-    - ${sshd_config}
-    - ${files}/ssh/sshd_config.{{ ansible_fqdn }}
-    - ${files}/ssh/sshd_config.{{ host_group }}
-    - ${files}/ssh/sshd_config.{{ dist_tag }}
-    - ${files}/ssh/sshd_config.{{ ansible_distribution }}
-    - ${files}/ssh/sshd_config.{{ ansible_distribution_version }}
-  notify:
-  - restart sshd
-  tags:
-  - sshd_config
-  - config
-  - sshd
-
-- name: set root passwd
-  action: user name=root password={{ rootpw }} state=present
-  tags:
-  - rootpw
-
-- name: add ansible root key 
-  action: authorized_key user=root key="{{ item }}"
-  with_file:
-  - ${files}/common/ansible-pub-key
-  tags:
-  - config
-
-- name: make sure our resolv.conf is the one being used - set RESOLV_MODS=no in /etc/sysconfig/network
-  lineinfile: dest=/etc/sysconfig/network create=yes backup=yes state=present line='RESOLV_MODS=no' regexp=^RESOLV_MODS=
-  tags:
-  - config
-  
-- name: global default packages to install
-  action: yum state=installed name=$item
-  with_items: $global_pkgs_inst
-  tags:
-  - packages
-
-- name: dist pkgs to remove
-  action: yum state=removed name=$item
-  with_items: $base_pkgs_erase
-  tags:
-  - packages
-
-- name: dist pkgs to install
-  action: yum state=installed name=$item
-  with_items: $base_pkgs_inst
-  tags:
-  - packages
-
-- name: dist disabled services
-  action: service state=stopped enabled=false name=$item
-  with_items: $service_disabled
-  tags:
-  - service
-  - config
-
-- name: dist enabled services
-  action: service state=running enabled=true name=$item
-  with_items: $service_enabled
-  tags:
-  - service
-  - config
-
-
-- name: iptables
-  action: template src=$item dest=/etc/sysconfig/iptables mode=600 backup=yes
-  first_available_file:
-    - $iptables
-    - $files/iptables/iptables.${ansible_fqdn}
-    - $files/iptables/iptables.${host_group}
-    - $files/iptables/iptables.${env}
-    - $files/iptables/iptables
-  notify:
-  - restart iptables
-  tags:
-  - iptables
-  - config
-
-# XXX fixme # a datacenter 'fact' from setup
-- name: /etc/resolv.conf
-  action: copy src=$item dest=/etc/resolv.conf
-  first_available_file:
-  - ${resolvconf}
-  - $files/resolv.conf/${ansible_fqdn}
-  - $files/resolv.conf/${host_group}
-  - $files/resolv.conf/${datacenter}
-  - $files/resolv.conf/resolv.conf
-  tags:
-  - config
-  - resolvconf
-
-- name: rsyslog.conf
-  action: copy src=$item dest=/etc/rsyslog.conf mode=644
-  first_available_file:
-    - $rsyslogconf
-    - $files/rsyslog/rsyslog.conf.${ansible_fqdn}
-    - $files/rsyslog/rsyslog.conf.${host_group}
-    - $files/rsyslog/rsyslog.conf.${datacenter}
-    - $files/rsyslog/rsyslog.conf
-
-  notify:
-  - restart rsyslog
-  tags:
-  - rsyslogd
-  - config
-
-- name: /etc/postfix/main.cf
-  action: copy src=$item dest=/etc/postfix/main.cf
-  first_available_file:
-    - $postfix_maincf
-    - $files/postfix/main.cf.${ansible_fqdn}
-    - $files/postfix/main.cf.${host_group}
-    - $files/postfix/main.cf.${postfix_group}
-    - $files/postfix/main.cf
-  notify:
-  - restart postfix
-  tags:
-  - postfix
-  - config
-
-#
-# This task installs some common scripts to /usr/local/bin
-# scripts are under $files/common-scripts
-#
-
-- name: Install common scripts
-  action: copy src=$item dest=/usr/local/bin/ owner=root group=root mode=0755
-  with_fileglob: $files/common-scripts/*
-  tags:
-  - config