infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 7 Projects Releases Packages Wiki Activity Actions
ansible/inventory/group_vars/proxies_stg
James Antill 7f429f3d13 Clean nftables var. for specific staging groups. 
Signed-off-by: James Antill <james@and.org>
2025-03-24 16:18:48 -04:00

82 lines
4.2 KiB
Text
Raw Blame History

---
# Define resources for this group of hosts here.
collectd_apache: true
# For the MOTD
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
# allow varnish from localhost
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
# also allow varnish from internal for purge requests
'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.0/24 --dport 6081 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT']
nft_custom_rules:
# Need for rsync from log01 for logs.
- 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept'
- 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
# allow varnish from localhost
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept'
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept'
# also allow varnish from internal for purge requests
- 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.0/24 tcp dport 6081 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.115 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.116 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.117 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.118 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.119 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.120 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.121 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.122 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.166.123 tcp dport 22623 counter accept'
external: true
ipa_client_shell_groups:
- fi-apprentice
- sysadmin-noc
- sysadmin-veteran
- sysadmin-web
ipa_client_sudo_groups:
- sysadmin-web
- sysadmin-noc
ipa_host_group: proxies
ipa_host_group_desc: Proxies between internal hosts and the Internet
lvm_size: 100000
# This is used in the httpd.conf to determine the value for serverlimit and
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this
# should be lowered in the host vars for that proxy.
maxrequestworkers: 900
mem_size: 8192
num_cpus: 2
ocp_masters_stg:
# - bootstrap.ocp.stg.iad2.fedoraproject.org
- ocp01.ocp.stg.iad2.fedoraproject.org
- ocp02.ocp.stg.iad2.fedoraproject.org
- ocp03.ocp.stg.iad2.fedoraproject.org
ocp_nodes_stg:
- worker01.ocp.stg.iad2.fedoraproject.org
- worker02.ocp.stg.iad2.fedoraproject.org
- worker03.ocp.stg.iad2.fedoraproject.org
- worker04.ocp.stg.iad2.fedoraproject.org
- worker05.ocp.stg.iad2.fedoraproject.org
tcp_ports: [
# For apache, generally.
80, 443,
# This is for TCP krb5
1088,
# This is for RabbitMQ public access
5671,
# openshift 4 api
6443,
# This is for RabbitMQ internal-public access
15671,
# This is for TOTP
8443,
]
varnish_group: proxies
zabbix_templates: "{{ [] }}" # For the moment we have no proxies external to IAD2, if this changes, put in the changes in the production group.
notes: |
* Provides frontend (reverse) proxy for most web applications
* Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications
at sites like fedoraproject.org and admin.fedoraproject.org.
* The proxy servers are balanced via dns and geoIP and are spread all over the place.
Reference in a new issue View git blame Copy permalink