[copr] further restrict access to keygen host

2015-02-17 10:58:01 +01:00 · 2015-02-17 10:58:01 +01:00 · 714527134d
commit 714527134d
parent ec2eacd0fa
5 changed files with 21 additions and 10 deletions
--- a/inventory/group_vars/copr
+++ b/inventory/group_vars/copr
@ -1,6 +1,8 @@
 ---
 devel: false
 _forward_src: "forward"
+
+# don't forget to update ip in ./copr-keygen, due to custom firewall rules
 copr_backend_ips: "172.16.5.5 209.132.184.142"
 keygen_host: "172.16.5.25"
 resolvconf: "resolv.conf/cloud"
--- a/inventory/group_vars/copr-keygen
+++ b/inventory/group_vars/copr-keygen
@ -1,6 +1,10 @@
 ---
-tcp_ports: [22, 5167]
+tcp_ports: [22]

-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.16.5.5 --dport 80 -j ACCEPT',  '-A INPUT -p tcp -m tcp -s 209.132.184.142 --dport 80 -j ACCEPT']
+# http + signd dest ports
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.16.5.5 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.142 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 172.16.5.5 --dport 5167 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.142 --dport 5167 -j ACCEPT']

 datacenter: cloud
--- a/inventory/group_vars/copr-keygen-stg
+++ b/inventory/group_vars/copr-keygen-stg
@ -1,7 +1,11 @@
 ---
 copr_hostbase: copr-keygen-dev
-tcp_ports: [5167]
+tcp_ports: []

-custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.16.5.24 --dport 80 -j ACCEPT' ]
+# http + signd dest ports
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 172.16.5.24 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.179 --dport 80 -j ACCEPT'
+                '-A INPUT -p tcp -m tcp -s 172.16.5.24 --dport 5167 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 209.132.184.179 --dport 5167 -j ACCEPT']

 datacenter: cloud
--- a/inventory/group_vars/copr-stg
+++ b/inventory/group_vars/copr-stg
@ -3,6 +3,7 @@ devel: true
 #_forward-src: "{{ files }}/copr/forward-dev"
 _forward_src: "forward_dev"

+# don't forget to update ip in ./copr-keygen-stg, due to custom firewall rules
 copr_backend_ips: "172.16.5.24 209.132.184.179"
 keygen_host: "172.16.1.6"
 resolvconf: "resolv.conf/cloud"
--- a/playbooks/groups/copr-keygen.yml
+++ b/playbooks/groups/copr-keygen.yml
@ -1,6 +1,6 @@
 - name: check/create instance
-  hosts: copr-keygen:copr-keygen-stg
-  #hosts: copr-keygen-stg
+  #hosts: copr-keygen:copr-keygen-stg
+  hosts: copr-keygen-stg
  user: root
  gather_facts: False

@ -13,8 +13,8 @@
  - include: "{{ tasks }}/growroot_cloud.yml"

 - name: cloud basic setup
-  hosts: copr-keygen:copr-keygen-stg
-  #hosts: copr-keygen-stg
+  #hosts: copr-keygen:copr-keygen-stg
+  hosts: copr-keygen-stg
  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
@ -23,8 +23,8 @@
  - include: "{{ tasks }}/cloud_setup_basic.yml"

 - name: provision instance
-  hosts: copr-keygen:copr-keygen-stg
-  #hosts: copr-keygen-stg
+  #hosts: copr-keygen:copr-keygen-stg
+  hosts: copr-keygen-stg
  gather_facts: False
  user: root
  vars_files: