580cd252c5
This was done using yq ( https://mikefarah.gitbook.io/yq/operators/sort-keys ) Doing things this way makes it much easier to see if a variable is set in a file or if two hosts differ in what variables they set. Hopefully we can keep things sorted moving forward. Basically this means just sort a-z anything you add to any host or group vaiable and it will be in the right place. Additionally, this enforces 'normal' intent rules for all the variable files which we should also try and obey. 2 spaces for first level, 3 for next, etc. When in doubt you can run yq on it. This should cause NO actual vairable changes, it's all just readability fixing for humans, ansible parses it exactly the same. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
65 lines
2 KiB
Text
65 lines
2 KiB
Text
---
|
|
# Define resources for this group of hosts here.
|
|
csi_primary_contact: sysadmin-main admin@fedoraproject.org
|
|
csi_purpose: SSH proxy to access infrastructure not exposed to the web
|
|
csi_relationship: |
|
|
- Provides ssh access to all iad2/vpn connected servers.
|
|
- Bastion is the hub for all infrastructure's VPN connections.
|
|
- All incoming SMTP from iad2 and VPN, as well as outgoing SMTP,
|
|
pass or are filtered here.
|
|
- Bastion does not accept any mail outside phx2/vpn.
|
|
# These variables are pushed into /etc/system_identification by the base role.
|
|
# Groups and individual hosts should override them with specific info.
|
|
# See http://infrastructure.fedoraproject.org/csi/security-policy/
|
|
csi_security_category: High
|
|
#
|
|
# drop incoming traffic from less trusted vpn hosts
|
|
# allow ntp from internal RH 10 nets
|
|
#
|
|
custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
|
|
#
|
|
# Set this to get fasclient cron to make the aliases file
|
|
#
|
|
fas_aliases: true
|
|
#
|
|
# Set this to get fasjson-client cron to make the aliases file
|
|
#
|
|
fasjson_aliases: false
|
|
fasjson_url: https://fasjson.fedoraproject.org/
|
|
ipa_client_shell_groups:
|
|
- pungi-devel
|
|
- sysadmin-analysis
|
|
- sysadmin-dba
|
|
- sysadmin-ppc
|
|
- sysadmin-secondary
|
|
- sysadmin-spin
|
|
- sysadmin-troubleshoot
|
|
- sysadmin-qa
|
|
- sysadmin-kernel
|
|
ipa_client_shell_groups_inherit_from:
|
|
- batcave
|
|
# allow a bunch of sysadmin groups here so they can access internal stuff
|
|
ipa_host_group: bastion
|
|
ipa_host_group_desc: Bastion hosts
|
|
lvm_size: 20000
|
|
mem_size: 8192
|
|
nagios_Check_Services:
|
|
mail: false
|
|
nrpe: true
|
|
nrpe_procs_crit: 1200
|
|
#
|
|
# Sometimes there are lots of postfix processes
|
|
#
|
|
nrpe_procs_warn: 1100
|
|
num_cpus: 4
|
|
#
|
|
# This is a postfix gateway. This will pick up gateway postfix config in base
|
|
#
|
|
postfix_group: gateway
|
|
postfix_transport_filename: transports.gateway
|
|
primary_auth_source: ipa
|
|
#
|
|
# allow incoming openvpn and smtp
|
|
#
|
|
tcp_ports: [22, 25, 1194]
|
|
udp_ports: [1194]
|