add restic env, firewall

firewall/defaults.yaml

@@ -0,0 +1,2 @@
+ig_tcp:
+  22: 'ssh'

firewall/files/iptables.jinja

@@ -0,0 +1,22 @@
+{% import_yaml 'firewall/defaults.yaml' as defaults -%}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', defaults['ig_tcp']).items() -%}
+-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
+{% endfor -%}
+{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) -%}
+{% for tcp_port in ig_tcp_hosts.keys() -%}
+{%   for host, comment in ig_tcp_hosts[tcp_port].items() -%}
+-A INPUT -p tcp -m state --state NEW -s "{{ host }}" -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
+{%   endfor -%}
+{% endfor -%}
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -j DROP
+-A FORWARD -j DROP
+COMMIT

firewall/init.sls

@@ -0,0 +1,20 @@
+{% from "firewall/map.jinja" import firewall %}
+
+iptables:
+  pkg.installed:
+    - pkgs:
+      - {{ firewall['pkg'] }}
+  file.managed:
+    - name: {{ firewall['cfg'] }}
+    - source: 'salt://firewall/files/iptables.jinja'
+    - template: jinja
+  service.running:
+    - name: {{ firewall['svc'] }}
+    - enable: True
+    - watch:
+      - file: iptables
+
+{% if firewall['remove'] is not none %}
+{{ firewall['remove'] }}:
+  pkg.removed: []
+{% endif %}

firewall/map.jinja

@@ -0,0 +1,14 @@
+{% set firewall = salt.grains.filter_by({
+    'Debian': {
+      'pkg': 'iptables-persistent',
+      'cfg': '/etc/iptables/rules.v4',
+      'svc': 'netfilter-persistent',
+      'remove': None,
+    },
+    'RedHat': {
+      'pkg': 'iptables-services',
+      'cfg': '/etc/sysconfig/iptables',
+      'svc': 'iptables',
+      'remove': 'firewalld',
+    }
+}) %}