add restic env, firewall
This commit is contained in:
root
2
firewall/defaults.yaml
Normal file
2
firewall/defaults.yaml
Normal file
@@ -0,0 +1,2 @@
|
||||
ig_tcp:
|
||||
22: 'ssh'
|
||||
22
firewall/files/iptables.jinja
Normal file
22
firewall/files/iptables.jinja
Normal file
@@ -0,0 +1,22 @@
|
||||
{% import_yaml 'firewall/defaults.yaml' as defaults -%}
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', defaults['ig_tcp']).items() -%}
|
||||
-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
|
||||
{% endfor -%}
|
||||
{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) -%}
|
||||
{% for tcp_port in ig_tcp_hosts.keys() -%}
|
||||
{% for host, comment in ig_tcp_hosts[tcp_port].items() -%}
|
||||
-A INPUT -p tcp -m state --state NEW -s "{{ host }}" -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
|
||||
{% endfor -%}
|
||||
{% endfor -%}
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -j DROP
|
||||
-A FORWARD -j DROP
|
||||
COMMIT
|
||||
20
firewall/init.sls
Normal file
20
firewall/init.sls
Normal file
@@ -0,0 +1,20 @@
|
||||
{% from "firewall/map.jinja" import firewall %}
|
||||
|
||||
iptables:
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
- {{ firewall['pkg'] }}
|
||||
file.managed:
|
||||
- name: {{ firewall['cfg'] }}
|
||||
- source: 'salt://firewall/files/iptables.jinja'
|
||||
- template: jinja
|
||||
service.running:
|
||||
- name: {{ firewall['svc'] }}
|
||||
- enable: True
|
||||
- watch:
|
||||
- file: iptables
|
||||
|
||||
{% if firewall['remove'] is not none %}
|
||||
{{ firewall['remove'] }}:
|
||||
pkg.removed: []
|
||||
{% endif %}
|
||||
14
firewall/map.jinja
Normal file
14
firewall/map.jinja
Normal file
@@ -0,0 +1,14 @@
|
||||
{% set firewall = salt.grains.filter_by({
|
||||
'Debian': {
|
||||
'pkg': 'iptables-persistent',
|
||||
'cfg': '/etc/iptables/rules.v4',
|
||||
'svc': 'netfilter-persistent',
|
||||
'remove': None,
|
||||
},
|
||||
'RedHat': {
|
||||
'pkg': 'iptables-services',
|
||||
'cfg': '/etc/sysconfig/iptables',
|
||||
'svc': 'iptables',
|
||||
'remove': 'firewalld',
|
||||
}
|
||||
}) %}
|
||||
@@ -2,6 +2,7 @@
|
||||
icinga_packages:
|
||||
pkg.installed:
|
||||
- pkgs:
|
||||
- vim-icinga2
|
||||
- icinga2
|
||||
- icingaweb2
|
||||
- icinga2-ido-mysql
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
|
||||
/etc/hosts:
|
||||
file.managed:
|
||||
- source: 'salt://net/files/hosts.jinja'
|
||||
- source: 'salt://resolv/files/hosts.jinja'
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
3
top.sls
3
top.sls
@@ -7,7 +7,8 @@
|
||||
- restic.client
|
||||
{% endif %}
|
||||
'*.keiran.us':
|
||||
- net
|
||||
- firewall
|
||||
- resolv
|
||||
'vps47492.inmotionhosting.com':
|
||||
- gitea
|
||||
'kpi.keiran.us':
|
||||
|
||||
@@ -73,7 +73,14 @@ if [ $(id -u) -gt 0 ]; then
|
||||
alias fab='sudo fab'
|
||||
fi
|
||||
|
||||
if test -d ~/.local/bin; then
|
||||
PATH="${PATH}:~/.local/bin"
|
||||
fi
|
||||
|
||||
alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
|
||||
|
||||
# https://git.keiran.us/config-mgmt/puppet/raw/commit/09158fc579f5ee2c00f395971d8c986e3ec08788/modules/keir/files/bash/bashrc
|
||||
{% if bashrc_user is defined and bashrc_user == 'root' and 'restic' in pillar %}
|
||||
export RESTIC_REPOSITORY={{ salt.pillar.get('restic:repo') }}
|
||||
export RESTIC_PASSWORD={{ salt.pillar.get('restic:pass') }}
|
||||
{% endif %}
|
||||
|
||||
@@ -19,10 +19,13 @@
|
||||
{% if salt.pillar.get('manage_root_bashrc', False) %}
|
||||
/root/.bashrc:
|
||||
file.managed:
|
||||
- source: 'salt://users/files/bashrc'
|
||||
- source: 'salt://users/files/bashrc.jinja'
|
||||
- template: jinja
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: 0644
|
||||
- mode: 0640
|
||||
- context:
|
||||
bashrc_user: root
|
||||
{% endif %}
|
||||
|
||||
#/root/.ssh/config:
|
||||
@@ -35,6 +38,12 @@
|
||||
# - require:
|
||||
# - file: /root/.ssh
|
||||
|
||||
{% for group in salt.pillar.get('sys_groups') %}
|
||||
{{ group }}:
|
||||
group.present:
|
||||
- system: True
|
||||
{% endfor %}
|
||||
|
||||
{% for user, data in salt.pillar.get('users', {}).items() %}
|
||||
|
||||
{{ user }}_user:
|
||||
@@ -51,10 +60,11 @@
|
||||
{% if data.get('manage_bashrc', False) %}
|
||||
/home/{{ user }}/.bashrc:
|
||||
file.managed:
|
||||
- source: 'salt://users/files/bashrc'
|
||||
- source: 'salt://users/files/bashrc.jinja'
|
||||
- template: jinja
|
||||
- user: {{ user }}
|
||||
- group: {{ user }}
|
||||
- mode: 0644
|
||||
- mode: 0640
|
||||
- require:
|
||||
- user: {{ user }}_user
|
||||
{% endif %}
|
||||
|
||||
Reference in New Issue
Block a user