ansible/inventory/group_vars/bastion

---
# Define resources for this group of hosts here.
csi_primary_contact: sysadmin-main admin@fedoraproject.org
csi_purpose: SSH proxy to access infrastructure not exposed to the web
csi_relationship: |
  - Provides ssh access to all iad2/vpn connected servers.
  - Bastion is the hub for all infrastructure's VPN connections.
  - All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
    pass or are filtered here.
  - Bastion does not accept any mail outside phx2/vpn.
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: High
#
# drop incoming traffic from less trusted vpn hosts
# allow ntp from internal RH 10 nets
#
custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
#
# Set this to get fasclient cron to make the aliases file
#
fas_aliases: true
#
# Set this to get fasjson-client cron to make the aliases file
#
fasjson_aliases: false
fasjson_url: https://fasjson.fedoraproject.org/
ipa_client_shell_groups:
  - pungi-devel
  - sysadmin-analysis
  - sysadmin-dba
  - sysadmin-ppc
  - sysadmin-secondary
  - sysadmin-spin
  - sysadmin-troubleshoot
  - sysadmin-qa
  - sysadmin-kernel
ipa_client_shell_groups_inherit_from:
  - batcave
# allow a bunch of sysadmin groups here so they can access internal stuff
ipa_host_group: bastion
ipa_host_group_desc: Bastion hosts
lvm_size: 20000
mem_size: 8192
nagios_Check_Services:
  mail: false
  nrpe: true
nrpe_procs_crit: 1200
#
# Sometimes there are lots of postfix processes
#
nrpe_procs_warn: 1100
num_cpus: 4
#
# This is a postfix gateway. This will pick up gateway postfix config in base
#
postfix_group: gateway
postfix_transport_filename: transports.gateway
primary_auth_source: ipa
#
# allow incoming openvpn and smtp
#
tcp_ports: [22, 25, 1194]
udp_ports: [1194]
A basic first cut at a bastion role. Going to use on bastion02 2014-10-08 22:37:24 +00:00			`---`
Add CSI vars from Juan Jimenez-Anca. Thanks! 2015-11-20 20:19:56 +00:00			`# Define resources for this group of hosts here.`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`csi_primary_contact: sysadmin-main admin@fedoraproject.org`
			`csi_purpose: SSH proxy to access infrastructure not exposed to the web`
			`csi_relationship: \|`
			`- Provides ssh access to all iad2/vpn connected servers.`
			`- Bastion is the hub for all infrastructure's VPN connections.`
			`- All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,`
			`pass or are filtered here.`
			`- Bastion does not accept any mail outside phx2/vpn.`
			`# These variables are pushed into /etc/system_identification by the base role.`
			`# Groups and individual hosts should override them with specific info.`
			`# See http://infrastructure.fedoraproject.org/csi/security-policy/`
			`csi_security_category: High`
A basic first cut at a bastion role. Going to use on bastion02 2014-10-08 22:37:24 +00:00			`#`
			`# drop incoming traffic from less trusted vpn hosts`
change a few known hosts from phx2 to iad2 variables. 2020-06-14 09:51:42 -04:00			`# allow ntp from internal RH 10 nets`
A basic first cut at a bastion role. Going to use on bastion02 2014-10-08 22:37:24 +00:00			`#`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']`
Try setting things this way. 2014-10-08 23:30:33 +00:00			`#`
			`# Set this to get fasclient cron to make the aliases file`
			`#`
			`fas_aliases: true`
Manage bastion email aliases using fasjson 2021-02-10 14:43:02 +00:00			`#`
			`# Set this to get fasjson-client cron to make the aliases file`
			`#`
			`fasjson_aliases: false`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`fasjson_url: https://fasjson.fedoraproject.org/`
			`ipa_client_shell_groups:`
			`- pungi-devel`
			`- sysadmin-analysis`
			`- sysadmin-dba`
			`- sysadmin-ppc`
			`- sysadmin-secondary`
			`- sysadmin-spin`
			`- sysadmin-troubleshoot`
			`- sysadmin-qa`
			`- sysadmin-kernel`
			`ipa_client_shell_groups_inherit_from:`
			`- batcave`
			`# allow a bunch of sysadmin groups here so they can access internal stuff`
			`ipa_host_group: bastion`
			`ipa_host_group_desc: Bastion hosts`
			`lvm_size: 20000`
			`mem_size: 8192`
			`nagios_Check_Services:`
			`mail: false`
			`nrpe: true`
			`nrpe_procs_crit: 1200`
Set max procs higher on bastion sometimes there's lots of postfix threads 2014-10-10 19:25:47 +00:00			`#`
			`# Sometimes there are lots of postfix processes`
			`#`
Up these limits 2015-03-26 22:24:17 +00:00			`nrpe_procs_warn: 1100`
Inventory group/host variables: Sort yaml This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-11-16 13:27:57 -08:00			`num_cpus: 4`
			`#`
			`# This is a postfix gateway. This will pick up gateway postfix config in base`
			`#`
			`postfix_group: gateway`
			`postfix_transport_filename: transports.gateway`
			`primary_auth_source: ipa`
			`#`
			`# allow incoming openvpn and smtp`
			`#`
			`tcp_ports: [22, 25, 1194]`
			`udp_ports: [1194]`