Commit de9f3291 authored by Goh Choon Ming's avatar Goh Choon Ming

add firewall rules for various services in the stack

parent a14dece4
......@@ -16,5 +16,21 @@ class opstheater::profile::elasticsearch{
} else {
fail("No elasticsearch instances found in hiera for class opstheater::profile::elasticsearch on ${::fqdn}.")
}
@firewall { '200 allow elasticsearch 9200 access':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '9200',
tag => 'opstheater',
}
@firewall { '200 allow elasticsearch 9300 access':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '9300',
tag => 'opstheater',
}
}
......@@ -81,4 +81,23 @@ class opstheater::profile::foremanproxy {
proxy => 'http://localhost:3000/',
}
}
@firewall { '203 allow HTTP access to foreman':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '80',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
@firewall { '204 allow HTTPS access to foreman':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '443',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
......@@ -180,4 +180,22 @@ class opstheater::profile::gitlab {
include opstheater::profile::filebeat::gitlab
include opstheater::profile::filebeat::mattermost
@firewall { '205 allow HTTP access to gitlab':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '80',
source => hiera('opstheater::vpn_ip', '0.0.0.0')
tag => 'opstheater',
}
@firewall { '206 allow HTTPS access to gitlab':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '443',
source => hiera('opstheater::vpn_ip', '0.0.0.0')
tag => 'opstheater',
}
}
......@@ -47,4 +47,13 @@ class opstheater::profile::grafana {
},
}
@firewall { '207 allow HTTP access to grafana':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '3000',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
......@@ -38,4 +38,12 @@ class opstheater::profile::icinga::client {
Icinga2::Object::Zone <<| |>>
@firewall { '201 allow access to icinga client':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '5665',
tag => 'opstheater',
}
}
......@@ -42,4 +42,12 @@ class opstheater::profile::icinga::server {
Icinga2::Object::Service <<| |>>
Icinga2::Object::Zone <<| |>>
@firewall { '201 allow access to icinga master':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '5665',
tag => 'opstheater',
}
}
......@@ -183,4 +183,22 @@ class opstheater::profile::icinga::web {
value => '"UTC"',
}
@firewall { '202 allow HTTP access to icinga web':
chain => 'INPUT',
action => 'accept',
proto => 'http',
dport => '80',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
@firewall { '203 allow HTTPS access to icinga web':
chain => 'INPUT',
action => 'accept',
proto => 'http',
dport => '443',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
......@@ -9,4 +9,12 @@ class opstheater::profile::kibana {
include opstheater::profile::filebeat::kibana
@firewall { '208 allow HTTP access to kibana':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '5601',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
......@@ -43,4 +43,11 @@ class opstheater::profile::logstash {
create_resources('logstash::plugin', $plugins)
}
@firewall { '209 allow access to logstash':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => hiera('opstheater::profile::logstash::input_beats_port'),
}
}
......@@ -30,5 +30,13 @@ class opstheater::profile::mysql {
include opstheater::profile::filebeat::mysql
@firewall { '210 allow access to mysql':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '3306',
tag => 'opstheater',
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment