Browse Source

Rebuilding firewall rules

pull/1/head
Sean Johnson 2 years ago
parent
commit
8fa8b549cc
  1. 2
      .gitignore
  2. 17
      Gemfile
  3. 535
      Gemfile.lock
  4. 25
      _modules/minion_net.py
  5. 7
      base/debian_packages.sls
  6. 1
      base/map.jinja
  7. 18
      base/package_map.yaml
  8. 58
      base/packages.sls
  9. 10
      base/pip_packages.yaml
  10. 2
      base/python.sls
  11. 19
      base/repositories.sls
  12. 21
      ci/pipeline.yml
  13. 15
      ci/settings.yml
  14. 99
      fwrules/chains/concourse_worker.sls
  15. 45
      fwrules/chains/elasticsearch_cluster_private.sls
  16. 56
      fwrules/chains/elasticsearch_exporter_private.sls
  17. 54
      fwrules/chains/http_public.sls
  18. 100
      fwrules/chains/management.sls
  19. 54
      fwrules/chains/mqtt_public.sls
  20. 55
      fwrules/chains/node_exporter_private.sls
  21. 76
      fwrules/chains/salt_private.sls
  22. 88
      fwrules/init.sls
  23. 101
      kitchen.ci.yml
  24. 86
      kitchen.yml
  25. 14
      test/integration/default/base.rb
  26. 40
      test/integration/default/fwrules.rb
  27. 4
      top.sls

2
.gitignore vendored

@ -0,0 +1,2 @@
.kitchen
.bundle

17
Gemfile

@ -0,0 +1,17 @@
source 'https://rubygems.org'
group :kitchen do
gem 'test-kitchen'
gem 'kitchen-docker'
gem 'kitchen-inspec'
gem 'kitchen-salt'
end
group :develop do
gem 'kitchen-vagrant'
end
group :formula do
# Put any dependencies needed by the formula tests here.
end

535
Gemfile.lock

@ -0,0 +1,535 @@
GEM
remote: https://rubygems.org/
specs:
activesupport (5.2.4.3)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2)
minitest (~> 5.1)
tzinfo (~> 1.1)
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
aws-eventstream (1.1.0)
aws-partitions (1.337.0)
aws-sdk-apigateway (1.47.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-apigatewayv2 (1.23.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-athena (1.29.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-autoscaling (1.22.0)
aws-sdk-core (~> 3, >= 3.52.1)
aws-sigv4 (~> 1.1)
aws-sdk-budgets (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudformation (1.40.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudfront (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudhsm (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudhsmv2 (1.25.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudtrail (1.25.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudwatch (1.40.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudwatchlogs (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codecommit (1.36.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codedeploy (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codepipeline (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-configservice (1.47.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-core (3.102.1)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1.0)
aws-sdk-costandusagereportservice (1.23.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-dynamodb (1.50.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ec2 (1.172.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ecr (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ecs (1.66.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-efs (1.31.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-eks (1.39.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticache (1.39.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticbeanstalk (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticloadbalancing (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticloadbalancingv2 (1.46.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticsearchservice (1.38.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-firehose (1.30.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-iam (1.42.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kafka (1.23.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kinesis (1.25.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kms (1.35.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-lambda (1.45.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-organizations (1.17.0)
aws-sdk-core (~> 3, >= 3.39.0)
aws-sigv4 (~> 1.0)
aws-sdk-rds (1.89.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-redshift (1.45.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53 (1.39.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53domains (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53resolver (1.16.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.72.0)
aws-sdk-core (~> 3, >= 3.102.1)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.1)
aws-sdk-securityhub (1.28.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ses (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sms (1.22.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sns (1.26.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sqs (1.29.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ssm (1.83.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sigv4 (1.2.1)
aws-eventstream (~> 1, >= 1.0.2)
azure_graph_rbac (0.17.2)
ms_rest_azure (~> 0.12.0)
azure_mgmt_key_vault (0.17.6)
ms_rest_azure (~> 0.12.0)
azure_mgmt_resources (0.17.9)
ms_rest_azure (~> 0.12.0)
azure_mgmt_security (0.18.2)
ms_rest_azure (~> 0.12.0)
azure_mgmt_storage (0.21.1)
ms_rest_azure (~> 0.12.0)
bcrypt_pbkdf (1.0.1)
builder (3.2.4)
chef-config (16.2.50)
addressable
chef-utils (= 16.2.50)
fuzzyurl
mixlib-config (>= 2.2.12, < 4.0)
mixlib-shellout (>= 2.0, < 4.0)
tomlrb (~> 1.2)
chef-telemetry (1.0.8)
chef-config
concurrent-ruby (~> 1.0)
ffi-yajl (~> 2.2)
chef-utils (16.2.50)
coderay (1.1.3)
concurrent-ruby (1.1.6)
declarative (0.0.20)
declarative-option (0.1.0)
diff-lcs (1.4.3)
docker-api (1.34.2)
excon (>= 0.47.0)
multi_json
domain_name (0.5.20190701)
unf (>= 0.0.5, < 1.0.0)
ecma-re-validator (0.2.1)
regexp_parser (~> 1.2)
ed25519 (1.2.4)
equatable (0.6.1)
erubi (1.9.0)
excon (0.75.0)
faraday (0.17.3)
multipart-post (>= 1.2, < 3)
faraday-cookie_jar (0.0.6)
faraday (>= 0.7.4)
http-cookie (~> 1.0.0)
faraday_middleware (0.12.2)
faraday (>= 0.7.4, < 1.0)
ffi (1.13.1)
ffi-yajl (2.3.3)
libyajl2 (~> 1.2)
fuzzyurl (0.9.0)
google-api-client (0.34.1)
addressable (~> 2.5, >= 2.5.1)
googleauth (~> 0.9)
httpclient (>= 2.8.1, < 3.0)
mini_mime (~> 1.0)
representable (~> 3.0)
retriable (>= 2.0, < 4.0)
signet (~> 0.12)
googleauth (0.10.0)
faraday (~> 0.12)
jwt (>= 1.4, < 3.0)
memoist (~> 0.16)
multi_json (~> 1.11)
os (>= 0.9, < 2.0)
signet (~> 0.12)
gssapi (1.3.0)
ffi (>= 1.0.1)
gyoku (1.3.1)
builder (>= 2.1.2)
hana (1.3.6)
hashie (3.6.0)
htmlentities (4.3.4)
http-cookie (1.0.3)
domain_name (~> 0.5)
httpclient (2.8.3)
i18n (1.8.3)
concurrent-ruby (~> 1.0)
inifile (3.0.0)
inspec (4.21.1)
faraday_middleware (~> 0.12.2)
inspec-core (= 4.21.1)
train (~> 3.0)
train-aws (~> 0.1)
train-habitat (~> 0.1)
train-winrm (~> 0.2)
inspec-core (4.21.1)
addressable (~> 2.4)
chef-telemetry (~> 1.0)
faraday (>= 0.9.0)
hashie (~> 3.4)
htmlentities (~> 4.3)
json_schemer (~> 0.2.1)
license-acceptance (>= 0.2.13, < 2.0)
method_source (>= 0.8, < 2.0)
mixlib-log (~> 3.0)
multipart-post (~> 2.0)
parallel (~> 1.9)
parslet (~> 1.5)
pry (~> 0.13)
rspec (~> 3.9)
rspec-its (~> 1.2)
rubyzip (~> 1.2, >= 1.2.2)
semverse (~> 3.0)
sslshake (~> 1.2)
term-ansicolor (~> 1.7)
thor (>= 0.20, < 2.0)
tomlrb (~> 1.2.0)
train-core (~> 3.0)
tty-prompt (~> 0.17)
tty-table (~> 0.10)
jmespath (1.4.0)
json (2.3.0)
json_schemer (0.2.11)
ecma-re-validator (~> 0.2)
hana (~> 1.3)
regexp_parser (~> 1.5)
uri_template (~> 0.7)
jwt (2.2.1)
kitchen-docker (2.10.0)
test-kitchen (>= 1.0.0)
kitchen-inspec (2.0.0)
hashie (~> 3.4)
inspec (>= 2.2.64, < 5.0)
test-kitchen (>= 1.6, < 3)
kitchen-salt (0.6.3)
hashie (>= 3.5)
test-kitchen (>= 1.4)
kitchen-vagrant (1.6.1)
test-kitchen (>= 1.4, < 3)
libyajl2 (1.2.0)
license-acceptance (1.0.19)
pastel (~> 0.7)
tomlrb (~> 1.2)
tty-box (~> 0.3)
tty-prompt (~> 0.18)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
memoist (0.16.2)
method_source (1.0.0)
mini_mime (1.0.2)
minitest (5.14.1)
mixlib-config (3.0.6)
tomlrb
mixlib-install (3.12.1)
mixlib-shellout
mixlib-versioning
thor
mixlib-log (3.0.8)
mixlib-shellout (3.0.9)
mixlib-versioning (1.2.12)
ms_rest (0.7.6)
concurrent-ruby (~> 1.0)
faraday (>= 0.9, < 2.0.0)
timeliness (~> 0.3.10)
ms_rest_azure (0.12.0)
concurrent-ruby (~> 1.0)
faraday (>= 0.9, < 2.0.0)
faraday-cookie_jar (~> 0.0.6)
ms_rest (~> 0.7.6)
multi_json (1.14.1)
multipart-post (2.1.1)
necromancer (0.5.1)
net-scp (3.0.0)
net-ssh (>= 2.6.5, < 7.0.0)
net-ssh (6.1.0)
net-ssh-gateway (2.0.0)
net-ssh (>= 4.0.0)
nori (2.6.0)
os (1.1.0)
parallel (1.19.2)
parslet (1.8.2)
pastel (0.7.4)
equatable (~> 0.6)
tty-color (~> 0.5)
pry (0.13.1)
coderay (~> 1.1)
method_source (~> 1.0)
public_suffix (4.0.5)
regexp_parser (1.7.1)
representable (3.0.4)
declarative (< 0.1.0)
declarative-option (< 0.2.0)
uber (< 0.2.0)
retriable (3.1.2)
rspec (3.9.0)
rspec-core (~> 3.9.0)
rspec-expectations (~> 3.9.0)
rspec-mocks (~> 3.9.0)
rspec-core (3.9.2)
rspec-support (~> 3.9.3)
rspec-expectations (3.9.2)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.9.0)
rspec-its (1.3.0)
rspec-core (>= 3.0.0)
rspec-expectations (>= 3.0.0)
rspec-mocks (3.9.1)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.9.0)
rspec-support (3.9.3)
rubyntlm (0.6.2)
rubyzip (1.3.0)
semverse (3.0.0)
signet (0.14.0)
addressable (~> 2.3)
faraday (>= 0.17.3, < 2.0)
jwt (>= 1.5, < 3.0)
multi_json (~> 1.10)
sslshake (1.3.1)
strings (0.1.8)
strings-ansi (~> 0.1)
unicode-display_width (~> 1.5)
unicode_utils (~> 1.4)
strings-ansi (0.2.0)
sync (0.5.0)
term-ansicolor (1.7.1)
tins (~> 1.0)
test-kitchen (2.5.2)
bcrypt_pbkdf (~> 1.0)
ed25519 (~> 1.2)
license-acceptance (~> 1.0, >= 1.0.11)
mixlib-install (~> 3.6)
mixlib-shellout (>= 1.2, < 4.0)
net-scp (>= 1.1, < 4.0)
net-ssh (>= 2.9, < 7.0)
net-ssh-gateway (>= 1.2, < 3.0)
thor (>= 0.19, < 2.0)
winrm (~> 2.0)
winrm-elevated (~> 1.0)
winrm-fs (~> 1.1)
thor (1.0.1)
thread_safe (0.3.6)
timeliness (0.3.10)
tins (1.25.0)
sync
tomlrb (1.2.9)
train (3.3.4)
activesupport (>= 5.2.4.3, < 6.0.0)
azure_graph_rbac (~> 0.16)
azure_mgmt_key_vault (~> 0.17)
azure_mgmt_resources (~> 0.15)
azure_mgmt_security (~> 0.18)
azure_mgmt_storage (~> 0.18)
docker-api (~> 1.26)
google-api-client (>= 0.23.9, < 0.35.0)
googleauth (>= 0.6.6, < 0.11.0)
inifile (~> 3.0)
train-core (= 3.3.4)
train-winrm (~> 0.2)
train-aws (0.1.17)
aws-sdk-apigateway (~> 1.0)
aws-sdk-apigatewayv2 (~> 1.0)
aws-sdk-athena (~> 1.0)
aws-sdk-autoscaling (~> 1.22.0)
aws-sdk-budgets (~> 1.0)
aws-sdk-cloudformation (~> 1.0)
aws-sdk-cloudfront (~> 1.0)
aws-sdk-cloudhsm (~> 1.0)
aws-sdk-cloudhsmv2 (~> 1.0)
aws-sdk-cloudtrail (~> 1.8)
aws-sdk-cloudwatch (~> 1.13)
aws-sdk-cloudwatchlogs (~> 1.13)
aws-sdk-codecommit (~> 1.0)
aws-sdk-codedeploy (~> 1.0)
aws-sdk-codepipeline (~> 1.0)
aws-sdk-configservice (~> 1.21)
aws-sdk-core (~> 3.0)
aws-sdk-costandusagereportservice (~> 1.6)
aws-sdk-dynamodb (~> 1.31)
aws-sdk-ec2 (~> 1.70)
aws-sdk-ecr (~> 1.18)
aws-sdk-ecs (~> 1.30)
aws-sdk-efs (~> 1.0)
aws-sdk-eks (~> 1.9)
aws-sdk-elasticache (~> 1.0)
aws-sdk-elasticbeanstalk (~> 1.0)
aws-sdk-elasticloadbalancing (~> 1.8)
aws-sdk-elasticloadbalancingv2 (~> 1.0)
aws-sdk-elasticsearchservice (~> 1.0)
aws-sdk-firehose (~> 1.0)
aws-sdk-iam (~> 1.13)
aws-sdk-kafka (~> 1.0)
aws-sdk-kinesis (~> 1.0)
aws-sdk-kms (~> 1.13)
aws-sdk-lambda (~> 1.0)
aws-sdk-organizations (~> 1.17.0)
aws-sdk-rds (~> 1.43)
aws-sdk-redshift (~> 1.0)
aws-sdk-route53 (~> 1.0)
aws-sdk-route53domains (~> 1.0)
aws-sdk-route53resolver (~> 1.0)
aws-sdk-s3 (~> 1.30)
aws-sdk-securityhub (~> 1.0)
aws-sdk-ses (~> 1.0)
aws-sdk-sms (~> 1.0)
aws-sdk-sns (~> 1.9)
aws-sdk-sqs (~> 1.10)
aws-sdk-ssm (~> 1.0)
train-core (3.3.4)
addressable (~> 2.5)
ffi (!= 1.13.0)
json (>= 1.8, < 3.0)
mixlib-shellout (>= 2.0, < 4.0)
net-scp (>= 1.2, < 4.0)
net-ssh (>= 2.9, < 7.0)
train-habitat (0.2.13)
train-winrm (0.2.6)
winrm (~> 2.0)
winrm-fs (~> 1.0)
tty-box (0.5.0)
pastel (~> 0.7.2)
strings (~> 0.1.6)
tty-cursor (~> 0.7)
tty-color (0.5.1)
tty-cursor (0.7.1)
tty-prompt (0.21.0)
necromancer (~> 0.5.0)
pastel (~> 0.7.0)
tty-reader (~> 0.7.0)
tty-reader (0.7.0)
tty-cursor (~> 0.7)
tty-screen (~> 0.7)
wisper (~> 2.0.0)
tty-screen (0.8.0)
tty-table (0.11.0)
equatable (~> 0.6)
necromancer (~> 0.5)
pastel (~> 0.7.2)
strings (~> 0.1.5)
tty-screen (~> 0.7)
tzinfo (1.2.7)
thread_safe (~> 0.1)
uber (0.1.0)
unf (0.1.4)
unf_ext
unf_ext (0.0.7.7)
unicode-display_width (1.7.0)
unicode_utils (1.4.0)
uri_template (0.7.0)
winrm (2.3.4)
builder (>= 2.1.2)
erubi (~> 1.8)
gssapi (~> 1.2)
gyoku (~> 1.0)
httpclient (~> 2.2, >= 2.2.0.2)
logging (>= 1.6.1, < 3.0)
nori (~> 2.0)
rubyntlm (~> 0.6.0, >= 0.6.1)
winrm-elevated (1.2.1)
erubi (~> 1.8)
winrm (~> 2.0)
winrm-fs (~> 1.0)
winrm-fs (1.3.3)
erubi (~> 1.8)
logging (>= 1.6.1, < 3.0)
rubyzip (~> 1.1)
winrm (~> 2.0)
wisper (2.0.1)
PLATFORMS
ruby
DEPENDENCIES
kitchen-docker
kitchen-inspec
kitchen-salt
kitchen-vagrant
test-kitchen
BUNDLED WITH
2.1.4

25
_modules/minion_net.py

@ -1,6 +1,8 @@
#!python
# -*- coding: utf-8 -*-
import socket
from salt.utils.network import ipaddr
@ -108,3 +110,26 @@ def map_hostname_to_public_addresses(target, target_type = "glob", addr_type = "
mapping[nodename].extend(addresses)
return mapping
def strip_cidr(ipaddr):
""" Given an IP address, strip the CIDR off the end, if it is present.
"""
return ipaddr.split("/")[0]
def resolve_hostname(hostname):
v4, v6 = [], []
infos = socket.getaddrinfo(hostname, 0)
for fam, stype, proto, canonname, sockaddr in infos:
address = sockaddr[0]
if fam is socket.AF_INET:
if address not in v4:
v4.append(address)
elif fam is socket.AF_INET6:
if address not in v6:
v6.append(address)
return v4, v6

7
base/debian_packages.sls

@ -1,7 +0,0 @@
---
apt-file:
pkg.installed:
- name: apt-file
cmd.run:
- name: "apt-file update"

1
base/map.jinja

@ -1,2 +1,3 @@
{% import_yaml "base/package_map.yaml" as pkg_map %}
{% import_yaml "base/pip_packages.yaml" as pip_pkgs %}
{% set packages = salt["grains.filter_by"](pkg_map, grain="os") or {} %}

18
base/package_map.yaml

@ -1,27 +1,29 @@
---
Debian:
apt-file:
name: apt-file
then: "apt-file update"
curl:
name: curl
dnsutils:
name: dnsutils
htop:
name: htop
iptables:
name: iptables
latest: true
source_for:
stretch: ~
buster: buster-backports
jq:
name: jq
libcap2_bin:
name: libcap2-bin
parted:
name: parted
pip:
require: ">=19.0.0"
py2_name: python-pip
py3_name: python3-pip
python3:
name: python3
python_requests:
name: python-requests
python3_requests:
name: python3-requests
latest: true
tmux:
name: tmux

58
base/packages.sls

@ -3,38 +3,26 @@
{% from "base/map.jinja" import packages with context %}
# Include OS-specific packages
{% set osname = grains["os"].lower() %}
include:
- "base.{{ osname }}_packages"
curl:
pkg.installed:
- name: "{{ packages.curl.name }}"
dnsutils:
pkg.installed:
- name: "{{ packages.dnsutils.name }}"
htop:
pkg.installed:
- name: "{{ packages.htop.name }}"
jq:
pkg.installed:
- name: "{{ packages.jq.name }}"
libcap2-bin:
pkg.installed:
- name: "{{ packages.libcap2_bin.name }}"
parted:
pkg.installed:
- name: "{{ packages.parted.name }}"
python3:
pkg.installed:
- name: "{{ packages.python3.name }}"
tmux:
pkg.installed:
- name: "{{ packages.tmux.name }}"
{% set codename = grains["oscodename"] %}
{% for name, settings in packages.items() %}
{{ name }}:
pkg.{{ "latest" if settings.get("latest") else "installed" }}:
- name: {{ settings.name | yaml_dquote }}
{% if settings.get("version") %}
- version: {{ settings.get("version") | yaml_dquote }}
{% endif %}
{% if settings.get("triggers", {}).get("reload") %}
- reload_modules: true
{% endif %}
{% if settings.get("triggers", {}).get("pkg_refresh") %}
- refresh: true
{% endif %}
{% if codename in settings.get("source_for", {}) and settings["source_for"][codename] %}
- fromrepo: {{ settings["source_for"][codename] | yaml_dquote }}
{% endif %}
{% if settings.get("then") %}
cmd.run:
- name: {{ settings["then"] | yaml_dquote }}
{% endif %}
{% endfor %}

10
base/pip_packages.yaml

@ -0,0 +1,10 @@
---
pip:
require: ">=19.0.0"
py2_name: python-pip
py3_name: python3-pip
python_requests:
name: python-requests
python3_requests:
name: python3-requests

2
base/python.sls

@ -1,6 +1,6 @@
---
{% from "base/map.jinja" import packages with context %}
{% from "base/map.jinja" import pip_pkgs as packages with context %}
fetch pip bootstrap:
file.managed:

19
base/repositories.sls

@ -1,20 +1,13 @@
---
debian strech backports:
pkgrepo.managed:
- humanname: debian-stretch-backports
- name: deb http://ftp.debian.org/debian stretch-backports main contrib non-free
- dist: stretch-backports
- file: /etc/apt/sources.list.d/debian-stretch-backports.list
- onchanges_in:
- module: refresh package database
{% set codename = grains["oscodename"] -%}
debian stretch backports sloppy:
debian {{ codename }} backports:
pkgrepo.managed:
- humanname: debian-stretch-backports-sloppy
- name: deb http://ftp.debian.org/debian stretch-backports-sloppy main contrib non-free
- dist: stretch-backports-sloppy
- file: /etc/apt/sources.list.d/debian-stretch-backports-sloppy.list
- humanname: debian-{{ codename }}-backports
- name: deb http://deb.debian.org/debian {{ codename }}-backports main contrib non-free
- dist: {{ codename }}-backports
- file: /etc/apt/sources.list.d/debian-{{ codename }}-backports.list
- onchanges_in:
- module: refresh package database

21
ci/pipeline.yml

@ -52,7 +52,28 @@ resources:
form_data:
.: (( inject meta.request.form_data ))
- name: commons
type: git
icon: git
source:
.: (( inject meta.upstream.commons ))
jobs:
- name: "kitchen-integration-debian"
serial_groups: [kitchen]
public: true
plan:
- get: commons
- get: states
trigger: true
- task: "run-kitchen-integration-debian"
file: (( grab meta.tasks.kitchen ))
privileged: true
params:
PLATFORM: debian
input_mapping:
formula: states
- name: update-states
public: false
plan:

15
ci/settings.yml

@ -12,4 +12,17 @@ meta:
password: ((glow_registry_ci.password))
saltbox:
secret: ((saltbox.webhook_secret))
secret: ((saltbox.webhook_secret))
formula:
source:
uri: https://glow.dev.maio.me/saltbox-formulas/states.git
branch: master
tasks:
kitchen: commons/tasks/kitchen/kitchen.yml
upstream:
commons:
uri: "https://glow.dev.maio.me/containers/commons.git"
branch: "master"

99
fwrules/chains/concourse_worker.sls

@ -0,0 +1,99 @@
#!pydsl
state("concourse_worker ipv4 chain").iptables.chain_present(
"concourse_worker",
family="ipv4",
)
state("concourse_worker ipv6 chain").iptables.chain_present(
"concourse_worker",
family="ipv6",
)
addresses_v4 = ["107.155.67.64/29"]
addresses_v6 = ["2604:880:396::/48"]
for address in addresses_v4:
# SSH
state("ssh ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=22,
)
# Concourse worker
state("concourse-atc ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7777,
)
state("concourse-baggageclaim ipv4 " + address).append(
table="filter",
family="ipv4",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7778,
)
for address in addresses_v6:
# SSH
state("ssh ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7777,
)
# Concourse private
state("concourse-atc ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7777,
)
state("concourse-baggageclaim ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7778,
)
state("concourse_worker ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="concourse_worker",
jump="concourse_worker",
)
state("concourse_worker ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="concourse_worker",
jump="concourse_worker",
)

45
fwrules/chains/elasticsearch_cluster_private.sls

@ -0,0 +1,45 @@
#!pydsl
state("es-ingest ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
source="10.1.0.0/24",
protocol="tcp",
match="tcp",
dport=9200,
)
state("es-transport ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
source="10.1.0.0/24",
protocol="tcp",
match="tcp",
dport=9300,
)
addresses_v4 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv4")
for address in addresses_v4:
state("es-ingest ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
source=address,
protocol="tcp",
match="tcp",
dport=9200,
)
addresses_v6 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv6")
for address in addresses_v6:
state("es-ingest ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
source=address,
protocol="tcp",
match="tcp",
dport=9200,
)

56
fwrules/chains/elasticsearch_exporter_private.sls

@ -0,0 +1,56 @@
#!pydsl
state("elasticsearch_exporter_private ipv4 chain").iptables.chain_present(
"elasticsearch_exporter_private",
family="ipv4",
)
state("elasticsearch_exporter_private ipv6 chain").iptables.chain_present(
"elasticsearch_exporter_private",
family="ipv6",
)
addresses_v4 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv4")
for address in addresses_v4:
# Salt private
state("elasticsearch_exporter ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="elasticsearch_exporter_private",
source=address,
protocol="tcp",
match="tcp",
dport=9114,
)
addresses_v6 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv6")
for address in addresses_v6:
state("elasticsearch_exporter ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="elasticsearch_exporter_private",
source=address,
protocol="tcp",
match="tcp",
dport=9114,
)
state("elasticsearch_exporter_private ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="elasticsearch_exporter_private",
jump="elasticsearch_exporter_private",
)
state("elasticsearch_exporter_private ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="elasticsearch_exporter_private",
jump="elasticsearch_exporter_private",
)

54
fwrules/chains/http_public.sls

@ -0,0 +1,54 @@
#!pydsl
families = [
("ipv4", ["0.0.0.0/0"]),
("ipv6", ["::/0"]),
]
ports = [
("http", 80),
("https", 443),
]
state("http_public ipv4 chain").iptables.chain_present(
"http_public",
family="ipv4",
)
state("http_public ipv6 chain").iptables.chain_present(
"http_public",
family="ipv6",
)
for family, addresses in families:
for address in addresses:
for protocol, port in ports:
state("{} {} {}".format(protocol, family, address)).iptables.append(
table="filter",
family=family,
chain="http_public",
source=address,
protocol="tcp",
match=["tcp", "comment"],
comment=protocol,
dport=port,
jump="ACCEPT",
)
state("http_public ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="http_public",
jump="http_public",
)
state("http_public ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="http_public",
jump="http_public",
)

100
fwrules/chains/management.sls

@ -0,0 +1,100 @@
#!pydsl
import socket
from copy import copy
from salt.utils import network
pillar = __salt__["pillar.get"]
addresses_v4 = pillar("firewall:management:ipv4", [])
addresses_v6 = pillar("firewall:management:ipv6", [])
names = pillar("firewall:management:resolve_names", [])
public_addresses = __salt__.minion_net.public_addresses
# CI worker nodes need to be able to access everything
for address in public_addresses("app:builder", target_type="glob", addr_type="ipv4"):
addresses_v4.append(address)
for address in public_addresses("app:builder", target_type="glob", addr_type="ipv6"):
addresses_v6.append(address)
# Salt master needs to be able to access everything
for address in public_addresses("app:saltbox", target_type="glob", addr_type="ipv4"):
addresses_v4.append(address)
for address in public_addresses("app:saltbox", target_type="glob", addr_type="ipv6"):
addresses_v6.append(address)
# Resolve any names to add to the allow lists
for hostname in names:
mods = {}
if isinstance(hostname, dict):
hostname, mods = hostname.popitem()
print(hostname, mods)
widen_ipv6 = mods.get("widen_ipv6")
v4, v6 = __salt__.minion_net.resolve_hostname(hostname)
if widen_ipv6:
cv6 = copy(v6)
v6.clear()
for addr6 in cv6:
addr6 = __salt__.minion_net.strip_cidr(addr6)
v6.append(network.calc_net(addr6, widen_ipv6))
addresses_v4.extend(v4)
addresses_v6.extend(v6)
state("management ipv4 chain").iptables.chain_present(
"management",
family="ipv4",
)
state("management ipv6 chain").iptables.chain_present(
"management",
family="ipv6",
)
for address in addresses_v4:
state("ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="management",
source=address,
match=["comment"],
comment="management",
jump="ACCEPT",
)
for address in addresses_v6:
# SSH private
state("ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="management",
source=address,
match=["comment"],
comment="management",
jump="ACCEPT",
)
state("management ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="management",
jump="management",
)
state("management ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="management",
jump="management",
)

54
fwrules/chains/mqtt_public.sls

@ -0,0 +1,54 @@
#!pydsl
families = [
("ipv4", ["0.0.0.0/0"]),
("ipv6", ["::/0"]),
]
ports = [
("mqtts-tcp", 4883),
("mqtts-ws", 4884),
]
state("mqtt_public ipv4 chain").iptables.chain_present(
"mqtt_public",
family="ipv4",
)
state("mqtt_public ipv6 chain").iptables.chain_present(
"mqtt_public",
family="ipv6",
)
for family, addresses in families:
for address in addresses:
for protocol, port in ports:
state("{} {} {}".format(protocol, family, address)).iptables.append(
table="filter",
family=family,
chain="mqtt_public",
source=address,
protocol="tcp",
match=["tcp", "comment"],
comment=protocol,
dport=port,
jump="ACCEPT",
)
state("mqtt_public ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="mqtt_public",
jump="mqtt_public",
)
state("mqtt_public ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="mqtt_public",
jump="mqtt_public",
)

55
fwrules/chains/node_exporter_private.sls

@ -0,0 +1,55 @@
#!pydsl
state("node_exporter_private ipv4 chain").iptables.chain_present(
"node_exporter_private",
family="ipv4",
)
state("node_exporter_private ipv6 chain").iptables.chain_present(
"node_exporter_private",
family="ipv6",
)
addresses_v4 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv4")
for address in addresses_v4:
# Salt private
state("node_exporter ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="node_exporter_private",
source=address,
protocol="tcp",
match="tcp",
dport=9100,
)
addresses_v6 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv6")
for address in addresses_v6:
state("node_exporter ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="node_exporter_private",
source=address,
protocol="tcp",
match="tcp",
dport=9100,
)
state("node_exporter_private ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="node_exporter_private",
jump="node_exporter_private",
)
state("node_exporter_private ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="node_exporter_private",
jump="node_exporter_private",
)

76
fwrules/chains/salt_private.sls

@ -0,0 +1,76 @@
#!pydsl
state("salt_private ipv4 chain").iptables.chain_present(
"salt_private",
family="ipv4",
)
state("salt_private ipv6 chain").iptables.chain_present(
"salt_private",
family="ipv6",
)
addresses_v4 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv4")
for address in addresses_v4:
# Salt private
state("salt-publish ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="salt_private",
source=address,
protocol="tcp",
match="tcp",
dport=4505,
)
state("salt-return ipv4 " + address).append(
table="filter",
family="ipv4",
chain="salt_private",
source=address,
protocol="tcp",
match="tcp",
dport=4506,
)
addresses_v6 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv6")
for address in addresses_v6:
# Salt private
state("salt-publish ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="salt_private",
source=address,
protocol="tcp",
match="tcp",
dport=4505,
)
state("salt-return ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="salt_private",
source=address,
protocol="tcp",
match="tcp",
dport=4506,
)
state("salt_private ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="salt_private",
jump="salt_private",
)
state("salt_private ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="salt_private",
jump="salt_private",
)

88
fwrules/init.sls

@ -0,0 +1,88 @@
#!pydsl
defaults = __salt__["pillar.get"]("firewall:defaults", {})
defaults.setdefault("allow_loopback", True)
defaults.setdefault("conntrack", True)
input_policy = __salt__["pillar.get"]("firewall:policies:INPUT", "DROP")
forward_policy = __salt__["pillar.get"]("firewall:policies:FORWARD", "DROP")
output_policy = __salt__["pillar.get"]("firewall:policies:OUTPUT", "ACCEPT")
state("default v4 input " + input_policy).iptables.set_policy(
table="filter",
family="ipv4",
chain="INPUT",
policy=input_policy,
)
state("default v4 forward " + forward_policy).iptables.set_policy(
table="filter",
family="ipv4",
chain="FORWARD",
policy=forward_policy,
)
state("default v4 output " + output_policy).iptables.set_policy(
table="filter",
family="ipv4",
chain="OUTPUT",
policy=output_policy,
)
state("default v6 input " + input_policy).iptables.set_policy(
table="filter",
family="ipv6",
chain="INPUT",
policy=input_policy,
)
state("default v6 forward " + forward_policy).iptables.set_policy(
table="filter",
family="ipv6",
chain="FORWARD",
policy=forward_policy,
)
state("default v6 output " + output_policy).iptables.set_policy(
table="filter",
family="ipv6",
chain="OUTPUT",
policy=output_policy,
)
if defaults["conntrack"]:
state("conntrack ipv4").iptables.append(
table="filter",
chain="INPUT",
family="ipv4",
match=["conntrack"],
ctstate="RELATED,ESTABLISHED",
jump="ACCEPT",
)
state("conntrack ipv6").iptables.append(
table="filter",
chain="INPUT",
family="ipv6",
match=["conntrack"],
ctstate="RELATED,ESTABLISHED",
jump="ACCEPT",
)
if defaults["allow_loopback"]:
state("loopback ipv4").iptables.append(
table="filter",
chain="INPUT",
family="ipv4",
source="127.0.0.0/8",
jump="ACCEPT",
)
state("loopback ipv6").iptables.append(
table="filter",
chain="INPUT",
family="ipv6",
source="::1/128",
jump="ACCEPT",
)

101
kitchen.ci.yml

@ -0,0 +1,101 @@
---
driver:
name: docker
transport:
name: docker
driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd
cap_add:
- CAP_SYS_ADMIN
verifier:
name: inspec
sudo: true
reporter:
- cli
platforms:
- name: debian-9
driver_config:
image: debian:9
provision_command:
- apt-get install -y python3-pip git
- pip3 install pytoml
provisioner:
name: salt_solo
require_chef: false
state_collection: .
is_file_root: true
# Salt-solo installation options
salt_install: bootstrap
salt_version: latest
salt_bootstrap_options: "-x python3"
salt_copy_filter:
- .git
- .kitchen
dependencies:
- name: openssh
repo: git
source: https://github.com/saltstack-formulas/openssh-formula.git
# Provision with states
state_top:
base:
'*':
- base.files
- base.repositories
- base.packages
- base.python
- base.sshd
- base.unattended_upgrades
- fwrules
pillars:
top.sls:
base:
'*':
- firewall
firewall.sls:
firewall:
defaults:
conntrack: false
policies:
INPUT: ACCEPT
FORWARD: DROP
OUTPUT: ACCEPT
management:
ipv4:
- "107.155.67.64/29"
ipv6:
- "2604:880:396::/48"
resolve_names:
- "adephagia.synology.me":
widen_ipv6: 64
suites:
- name: default
provisioner:
state_top:
base:
'*':
- base.files
- base.repositories
- base.packages
- base.python
- base.sshd
- base.unattended_upgrades
- fwrules
- fwrules.chains.management
- fwrules.chains.minion_access
- fwrules.chains.http_public
- fwrules.chains.mqtt_public
pillars: {}

86
kitchen.yml

@ -0,0 +1,86 @@
---
driver:
name: vagrant
verifier:
name: inspec
sudo: true
reporter:
- cli
platforms:
- name: debian-9
driver:
box: generic/debian9
provisioner:
name: salt_solo
require_chef: false
state_collection: .
is_file_root: true
# Salt-solo installation options
salt_install: bootstrap
salt_version: latest
salt_copy_filter:
- .git
- .kitchen
dependencies:
- name: openssh
repo: git
source: https://github.com/saltstack-formulas/openssh-formula.git
# Provision with states
state_top:
base:
'*':
- base.files
- base.repositories
- base.packages
- base.python
- base.sshd
- base.unattended_upgrades
- fwrules
pillars:
top.sls:
base:
'*':
- firewall
firewall.sls:
firewall:
defaults:
conntrack: false
policies:
INPUT: ACCEPT
FORWARD: DROP
OUTPUT: ACCEPT
management:
ipv4:
- "107.155.67.64/29"
ipv6:
- "2604:880:396::/48"