[storinator] make changes so that storinator can work in cloud

inventory/hardware

@@ -141,7 +141,7 @@ buildhw-aarch64-08.arm.fedoraproject.org
 autocloud-backend-aarch64.arm.fedoraproject.org
 
 [storinator]
-storinator01.phx2.fedoraproject.org
+storinator01.fedorainfracloud.org
 
 [cavium]
 # 2 thunderx2 machines on loan for builders

inventory/host_vars/storinator01.fedorainfracloud.org

@@ -10,11 +10,13 @@ nfs_mount_opts: "rw,hard,bg,intr,noatime,nodev,nosuid,sec=sys,nfsvers=3"
 # general configs
 nrpe_procs_warn: 900
 nrpe_procs_crit: 1000
-datacenter: phx2
-nm: 255.255.255.0
-gw: 10.5.126.254
-dns: 10.5.126.21
-eth0_ip: 10.5.126.6
-eth1_ip: 10.5.127.6
-tcp_ports: [111,2049]
-udp_ports: [111,2049]
+datacenter: cloud
+gw: 38.145.49.254
+dns: 8.8.8.8
+eth0_ip: 38.145.48.6
+eth0_nm: 255.255.254.0
+eth1_ip: 172.24.0.101
+eth1_nm: 255.255.255.0
+
+tcp_ports_eth1: [ 111, 2049 ]
+udp_ports_eth1: [ 111, 2049 ]

inventory/inventory

@@ -1484,7 +1484,7 @@ retrace01.qa.fedoraproject.org
 #el8betatest01.stg.phx2.fedoraproject.org
 
 [nfs_servers]
-storinator01.phx2.fedoraproject.org
+storinator01.fedorainfracloud.org
 
 # communishift -- community openshift
 [virthost_communishift]

roles/base/templates/iptables/iptables.storinator01.fedorainfracloud.org

@@ -0,0 +1,85 @@
+# {{ ansible_managed }}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports_eth0 is defined %}
+{% for port in tcp_ports_eth0 %}
+-A INPUT -p tcp -m tcp -i eth0 --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports_eth0 is defined %}
+{% for port in udp_ports_eth0 %}
+-A INPUT -p udp -m udp -i eth0 --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports_eth1 is defined %}
+{% for port in tcp_ports_eth1 %}
+-A INPUT -p tcp -m tcp -i eth1 --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports_eth1 is defined %}
+{% for port in udp_ports_eth1 %}
+-A INPUT -p udp -m udp -i eth1 --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if custom_rules is defined %}
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+
+{% if nat_rules %}
+*nat
+:PREROUTING ACCEPT [0:]
+:INPUT ACCEPT [0:]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+{% for rule in nat_rules %}
+{{ rule }}
+{% endfor %}
+COMMIT
+{% endif %}