saltbox
/
states
2
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Rebuilding firewall rules

pull/1/head
Sean Johnson 2 years ago
parent
05bc297dbb
commit
8fa8b549cc
27 changed files with 1537 additions and 65 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .gitignore
  2. 17
      Gemfile
  3. 535
      Gemfile.lock
  4. 25
      _modules/minion_net.py
  5. 7
      base/debian_packages.sls
  6. 1
      base/map.jinja
  7. 18
      base/package_map.yaml
  8. 58
      base/packages.sls
  9. 10
      base/pip_packages.yaml
  10. 2
      base/python.sls
  11. 19
      base/repositories.sls
  12. 21
      ci/pipeline.yml
  13. 15
      ci/settings.yml
  14. 99
      fwrules/chains/concourse_worker.sls
  15. 45
      fwrules/chains/elasticsearch_cluster_private.sls
  16. 56
      fwrules/chains/elasticsearch_exporter_private.sls
  17. 54
      fwrules/chains/http_public.sls
  18. 100
      fwrules/chains/management.sls
  19. 54
      fwrules/chains/mqtt_public.sls
  20. 55
      fwrules/chains/node_exporter_private.sls
  21. 76
      fwrules/chains/salt_private.sls
  22. 88
      fwrules/init.sls
  23. 101
      kitchen.ci.yml
  24. 86
      kitchen.yml
  25. 14
      test/integration/default/base.rb
  26. 40
      test/integration/default/fwrules.rb
  27. 4
      top.sls

2
.gitignore vendored
Unescape View File

@ -0,0 +1,2 @@
.kitchen
.bundle

17
Gemfile
Unescape View File

@ -0,0 +1,17 @@
source 'https://rubygems.org'
group :kitchen do
gem 'test-kitchen'
gem 'kitchen-docker'
gem 'kitchen-inspec'
gem 'kitchen-salt'
end
group :develop do
gem 'kitchen-vagrant'
end
group :formula do
# Put any dependencies needed by the formula tests here.
end

535
Gemfile.lock
Unescape View File

@ -0,0 +1,535 @@
GEM
remote: https://rubygems.org/
specs:
activesupport (5.2.4.3)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2)
minitest (~> 5.1)
tzinfo (~> 1.1)
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
aws-eventstream (1.1.0)
aws-partitions (1.337.0)
aws-sdk-apigateway (1.47.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-apigatewayv2 (1.23.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-athena (1.29.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-autoscaling (1.22.0)
aws-sdk-core (~> 3, >= 3.52.1)
aws-sigv4 (~> 1.1)
aws-sdk-budgets (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudformation (1.40.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudfront (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudhsm (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudhsmv2 (1.25.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudtrail (1.25.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudwatch (1.40.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudwatchlogs (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codecommit (1.36.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codedeploy (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codepipeline (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-configservice (1.47.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-core (3.102.1)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1.0)
aws-sdk-costandusagereportservice (1.23.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-dynamodb (1.50.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ec2 (1.172.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ecr (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ecs (1.66.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-efs (1.31.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-eks (1.39.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticache (1.39.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticbeanstalk (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticloadbalancing (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticloadbalancingv2 (1.46.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticsearchservice (1.38.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-firehose (1.30.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-iam (1.42.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kafka (1.23.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kinesis (1.25.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kms (1.35.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-lambda (1.45.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-organizations (1.17.0)
aws-sdk-core (~> 3, >= 3.39.0)
aws-sigv4 (~> 1.0)
aws-sdk-rds (1.89.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-redshift (1.45.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53 (1.39.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53domains (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53resolver (1.16.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.72.0)
aws-sdk-core (~> 3, >= 3.102.1)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.1)
aws-sdk-securityhub (1.28.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ses (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sms (1.22.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sns (1.26.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sqs (1.29.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ssm (1.83.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sigv4 (1.2.1)
aws-eventstream (~> 1, >= 1.0.2)
azure_graph_rbac (0.17.2)
ms_rest_azure (~> 0.12.0)
azure_mgmt_key_vault (0.17.6)
ms_rest_azure (~> 0.12.0)
azure_mgmt_resources (0.17.9)
ms_rest_azure (~> 0.12.0)
azure_mgmt_security (0.18.2)
ms_rest_azure (~> 0.12.0)
azure_mgmt_storage (0.21.1)
ms_rest_azure (~> 0.12.0)
bcrypt_pbkdf (1.0.1)
builder (3.2.4)
chef-config (16.2.50)
addressable
chef-utils (= 16.2.50)
fuzzyurl
mixlib-config (>= 2.2.12, < 4.0)
mixlib-shellout (>= 2.0, < 4.0)
tomlrb (~> 1.2)
chef-telemetry (1.0.8)
chef-config
concurrent-ruby (~> 1.0)
ffi-yajl (~> 2.2)
chef-utils (16.2.50)
coderay (1.1.3)
concurrent-ruby (1.1.6)
declarative (0.0.20)
declarative-option (0.1.0)
diff-lcs (1.4.3)
docker-api (1.34.2)
excon (>= 0.47.0)
multi_json
domain_name (0.5.20190701)
unf (>= 0.0.5, < 1.0.0)
ecma-re-validator (0.2.1)
regexp_parser (~> 1.2)
ed25519 (1.2.4)
equatable (0.6.1)
erubi (1.9.0)
excon (0.75.0)
faraday (0.17.3)
multipart-post (>= 1.2, < 3)
faraday-cookie_jar (0.0.6)
faraday (>= 0.7.4)
http-cookie (~> 1.0.0)
faraday_middleware (0.12.2)
faraday (>= 0.7.4, < 1.0)
ffi (1.13.1)
ffi-yajl (2.3.3)
libyajl2 (~> 1.2)
fuzzyurl (0.9.0)
google-api-client (0.34.1)
addressable (~> 2.5, >= 2.5.1)
googleauth (~> 0.9)
httpclient (>= 2.8.1, < 3.0)
mini_mime (~> 1.0)
representable (~> 3.0)
retriable (>= 2.0, < 4.0)
signet (~> 0.12)
googleauth (0.10.0)
faraday (~> 0.12)
jwt (>= 1.4, < 3.0)
memoist (~> 0.16)
multi_json (~> 1.11)
os (>= 0.9, < 2.0)
signet (~> 0.12)
gssapi (1.3.0)
ffi (>= 1.0.1)
gyoku (1.3.1)
builder (>= 2.1.2)
hana (1.3.6)
hashie (3.6.0)
htmlentities (4.3.4)
http-cookie (1.0.3)
domain_name (~> 0.5)
httpclient (2.8.3)
i18n (1.8.3)
concurrent-ruby (~> 1.0)
inifile (3.0.0)
inspec (4.21.1)
faraday_middleware (~> 0.12.2)
inspec-core (= 4.21.1)
train (~> 3.0)
train-aws (~> 0.1)
train-habitat (~> 0.1)
train-winrm (~> 0.2)
inspec-core (4.21.1)
addressable (~> 2.4)
chef-telemetry (~> 1.0)
faraday (>= 0.9.0)
hashie (~> 3.4)
htmlentities (~> 4.3)
json_schemer (~> 0.2.1)
license-acceptance (>= 0.2.13, < 2.0)
method_source (>= 0.8, < 2.0)
mixlib-log (~> 3.0)
multipart-post (~> 2.0)
parallel (~> 1.9)
parslet (~> 1.5)
pry (~> 0.13)
rspec (~> 3.9)
rspec-its (~> 1.2)
rubyzip (~> 1.2, >= 1.2.2)
semverse (~> 3.0)
sslshake (~> 1.2)
term-ansicolor (~> 1.7)
thor (>= 0.20, < 2.0)
tomlrb (~> 1.2.0)
train-core (~> 3.0)
tty-prompt (~> 0.17)
tty-table (~> 0.10)
jmespath (1.4.0)
json (2.3.0)
json_schemer (0.2.11)
ecma-re-validator (~> 0.2)
hana (~> 1.3)
regexp_parser (~> 1.5)
uri_template (~> 0.7)
jwt (2.2.1)
kitchen-docker (2.10.0)
test-kitchen (>= 1.0.0)
kitchen-inspec (2.0.0)
hashie (~> 3.4)
inspec (>= 2.2.64, < 5.0)
test-kitchen (>= 1.6, < 3)
kitchen-salt (0.6.3)
hashie (>= 3.5)
test-kitchen (>= 1.4)
kitchen-vagrant (1.6.1)
test-kitchen (>= 1.4, < 3)
libyajl2 (1.2.0)
license-acceptance (1.0.19)
pastel (~> 0.7)
tomlrb (~> 1.2)
tty-box (~> 0.3)
tty-prompt (~> 0.18)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
memoist (0.16.2)
method_source (1.0.0)
mini_mime (1.0.2)
minitest (5.14.1)
mixlib-config (3.0.6)
tomlrb
mixlib-install (3.12.1)
mixlib-shellout
mixlib-versioning
thor
mixlib-log (3.0.8)
mixlib-shellout (3.0.9)
mixlib-versioning (1.2.12)
ms_rest (0.7.6)
concurrent-ruby (~> 1.0)
faraday (>= 0.9, < 2.0.0)
timeliness (~> 0.3.10)
ms_rest_azure (0.12.0)
concurrent-ruby (~> 1.0)
faraday (>= 0.9, < 2.0.0)
faraday-cookie_jar (~> 0.0.6)
ms_rest (~> 0.7.6)
multi_json (1.14.1)
multipart-post (2.1.1)
necromancer (0.5.1)
net-scp (3.0.0)
net-ssh (>= 2.6.5, < 7.0.0)
net-ssh (6.1.0)
net-ssh-gateway (2.0.0)
net-ssh (>= 4.0.0)
nori (2.6.0)
os (1.1.0)
parallel (1.19.2)
parslet (1.8.2)
pastel (0.7.4)
equatable (~> 0.6)
tty-color (~> 0.5)
pry (0.13.1)
coderay (~> 1.1)
method_source (~> 1.0)
public_suffix (4.0.5)
regexp_parser (1.7.1)
representable (3.0.4)
declarative (< 0.1.0)
declarative-option (< 0.2.0)
uber (< 0.2.0)
retriable (3.1.2)
rspec (3.9.0)
rspec-core (~> 3.9.0)
rspec-expectations (~> 3.9.0)
rspec-mocks (~> 3.9.0)
rspec-core (3.9.2)
rspec-support (~> 3.9.3)
rspec-expectations (3.9.2)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.9.0)
rspec-its (1.3.0)
rspec-core (>= 3.0.0)
rspec-expectations (>= 3.0.0)
rspec-mocks (3.9.1)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.9.0)
rspec-support (3.9.3)
rubyntlm (0.6.2)
rubyzip (1.3.0)
semverse (3.0.0)
signet (0.14.0)
addressable (~> 2.3)
faraday (>= 0.17.3, < 2.0)
jwt (>= 1.5, < 3.0)
multi_json (~> 1.10)
sslshake (1.3.1)
strings (0.1.8)
strings-ansi (~> 0.1)
unicode-display_width (~> 1.5)
unicode_utils (~> 1.4)
strings-ansi (0.2.0)
sync (0.5.0)
term-ansicolor (1.7.1)
tins (~> 1.0)
test-kitchen (2.5.2)
bcrypt_pbkdf (~> 1.0)
ed25519 (~> 1.2)
license-acceptance (~> 1.0, >= 1.0.11)
mixlib-install (~> 3.6)
mixlib-shellout (>= 1.2, < 4.0)
net-scp (>= 1.1, < 4.0)
net-ssh (>= 2.9, < 7.0)
net-ssh-gateway (>= 1.2, < 3.0)
thor (>= 0.19, < 2.0)
winrm (~> 2.0)
winrm-elevated (~> 1.0)
winrm-fs (~> 1.1)
thor (1.0.1)
thread_safe (0.3.6)
timeliness (0.3.10)
tins (1.25.0)
sync
tomlrb (1.2.9)
train (3.3.4)
activesupport (>= 5.2.4.3, < 6.0.0)
azure_graph_rbac (~> 0.16)
azure_mgmt_key_vault (~> 0.17)
azure_mgmt_resources (~> 0.15)
azure_mgmt_security (~> 0.18)
azure_mgmt_storage (~> 0.18)
docker-api (~> 1.26)
google-api-client (>= 0.23.9, < 0.35.0)
googleauth (>= 0.6.6, < 0.11.0)
inifile (~> 3.0)
train-core (= 3.3.4)
train-winrm (~> 0.2)
train-aws (0.1.17)
aws-sdk-apigateway (~> 1.0)
aws-sdk-apigatewayv2 (~> 1.0)
aws-sdk-athena (~> 1.0)
aws-sdk-autoscaling (~> 1.22.0)
aws-sdk-budgets (~> 1.0)
aws-sdk-cloudformation (~> 1.0)
aws-sdk-cloudfront (~> 1.0)
aws-sdk-cloudhsm (~> 1.0)
aws-sdk-cloudhsmv2 (~> 1.0)
aws-sdk-cloudtrail (~> 1.8)
aws-sdk-cloudwatch (~> 1.13)
aws-sdk-cloudwatchlogs (~> 1.13)
aws-sdk-codecommit (~> 1.0)
aws-sdk-codedeploy (~> 1.0)
aws-sdk-codepipeline (~> 1.0)
aws-sdk-configservice (~> 1.21)
aws-sdk-core (~> 3.0)
aws-sdk-costandusagereportservice (~> 1.6)
aws-sdk-dynamodb (~> 1.31)
aws-sdk-ec2 (~> 1.70)
aws-sdk-ecr (~> 1.18)
aws-sdk-ecs (~> 1.30)
aws-sdk-efs (~> 1.0)
aws-sdk-eks (~> 1.9)
aws-sdk-elasticache (~> 1.0)
aws-sdk-elasticbeanstalk (~> 1.0)
aws-sdk-elasticloadbalancing (~> 1.8)
aws-sdk-elasticloadbalancingv2 (~> 1.0)
aws-sdk-elasticsearchservice (~> 1.0)
aws-sdk-firehose (~> 1.0)
aws-sdk-iam (~> 1.13)
aws-sdk-kafka (~> 1.0)
aws-sdk-kinesis (~> 1.0)
aws-sdk-kms (~> 1.13)
aws-sdk-lambda (~> 1.0)
aws-sdk-organizations (~> 1.17.0)
aws-sdk-rds (~> 1.43)
aws-sdk-redshift (~> 1.0)
aws-sdk-route53 (~> 1.0)
aws-sdk-route53domains (~> 1.0)
aws-sdk-route53resolver (~> 1.0)
aws-sdk-s3 (~> 1.30)
aws-sdk-securityhub (~> 1.0)
aws-sdk-ses (~> 1.0)
aws-sdk-sms (~> 1.0)
aws-sdk-sns (~> 1.9)
aws-sdk-sqs (~> 1.10)
aws-sdk-ssm (~> 1.0)
train-core (3.3.4)
addressable (~> 2.5)
ffi (!= 1.13.0)
json (>= 1.8, < 3.0)
mixlib-shellout (>= 2.0, < 4.0)
net-scp (>= 1.2, < 4.0)
net-ssh (>= 2.9, < 7.0)
train-habitat (0.2.13)
train-winrm (0.2.6)
winrm (~> 2.0)
winrm-fs (~> 1.0)
tty-box (0.5.0)
pastel (~> 0.7.2)
strings (~> 0.1.6)
tty-cursor (~> 0.7)
tty-color (0.5.1)
tty-cursor (0.7.1)
tty-prompt (0.21.0)
necromancer (~> 0.5.0)
pastel (~> 0.7.0)
tty-reader (~> 0.7.0)
tty-reader (0.7.0)
tty-cursor (~> 0.7)
tty-screen (~> 0.7)
wisper (~> 2.0.0)
tty-screen (0.8.0)
tty-table (0.11.0)
equatable (~> 0.6)
necromancer (~> 0.5)
pastel (~> 0.7.2)
strings (~> 0.1.5)
tty-screen (~> 0.7)
tzinfo (1.2.7)
thread_safe (~> 0.1)
uber (0.1.0)
unf (0.1.4)
unf_ext
unf_ext (0.0.7.7)
unicode-display_width (1.7.0)
unicode_utils (1.4.0)
uri_template (0.7.0)
winrm (2.3.4)
builder (>= 2.1.2)
erubi (~> 1.8)
gssapi (~> 1.2)
gyoku (~> 1.0)
httpclient (~> 2.2, >= 2.2.0.2)
logging (>= 1.6.1, < 3.0)
nori (~> 2.0)
rubyntlm (~> 0.6.0, >= 0.6.1)
winrm-elevated (1.2.1)
erubi (~> 1.8)
winrm (~> 2.0)
winrm-fs (~> 1.0)
winrm-fs (1.3.3)
erubi (~> 1.8)
logging (>= 1.6.1, < 3.0)
rubyzip (~> 1.1)
winrm (~> 2.0)
wisper (2.0.1)
PLATFORMS
ruby
DEPENDENCIES
kitchen-docker
kitchen-inspec
kitchen-salt
kitchen-vagrant
test-kitchen
BUNDLED WITH
2.1.4

25
_modules/minion_net.py
Unescape View File

@ -1,6 +1,8 @@
#!python
# -*- coding: utf-8 -*-
import socket
from salt.utils.network import ipaddr
@ -108,3 +110,26 @@ def map_hostname_to_public_addresses(target, target_type = "glob", addr_type = "
mapping[nodename].extend(addresses)
return mapping
def strip_cidr(ipaddr):
""" Given an IP address, strip the CIDR off the end, if it is present.
"""
return ipaddr.split("/")[0]
def resolve_hostname(hostname):
v4, v6 = [], []
infos = socket.getaddrinfo(hostname, 0)
for fam, stype, proto, canonname, sockaddr in infos:
address = sockaddr[0]
if fam is socket.AF_INET:
if address not in v4:
v4.append(address)
elif fam is socket.AF_INET6:
if address not in v6:
v6.append(address)
return v4, v6

7
base/debian_packages.sls
Unescape View File

@ -1,7 +0,0 @@
---
apt-file:
pkg.installed:
- name: apt-file
cmd.run:
- name: "apt-file update"

1
base/map.jinja
Unescape View File

@ -1,2 +1,3 @@
{% import_yaml "base/package_map.yaml" as pkg_map %}
{% import_yaml "base/pip_packages.yaml" as pip_pkgs %}
{% set packages = salt["grains.filter_by"](pkg_map, grain="os") or {} %}

18
base/package_map.yaml
Unescape View File

@ -1,27 +1,29 @@
---
Debian:
apt-file:
name: apt-file
then: "apt-file update"
curl:
name: curl
dnsutils:
name: dnsutils
htop:
name: htop
iptables:
name: iptables
latest: true
source_for:
stretch: ~
buster: buster-backports
jq:
name: jq
libcap2_bin:
name: libcap2-bin
parted:
name: parted
pip:
require: ">=19.0.0"
py2_name: python-pip
py3_name: python3-pip
python3:
name: python3
python_requests:
name: python-requests
python3_requests:
name: python3-requests
latest: true
tmux:
name: tmux

58
base/packages.sls
Unescape View File

@ -3,38 +3,26 @@
{% from "base/map.jinja" import packages with context %}
# Include OS-specific packages
{% set osname = grains["os"].lower() %}
include:
- "base.{{ osname }}_packages"
curl:
pkg.installed:
- name: "{{ packages.curl.name }}"
dnsutils:
pkg.installed:
- name: "{{ packages.dnsutils.name }}"
htop:
pkg.installed:
- name: "{{ packages.htop.name }}"
jq:
pkg.installed:
- name: "{{ packages.jq.name }}"
libcap2-bin:
pkg.installed:
- name: "{{ packages.libcap2_bin.name }}"
parted:
pkg.installed:
- name: "{{ packages.parted.name }}"
python3:
pkg.installed:
- name: "{{ packages.python3.name }}"
tmux:
pkg.installed:
- name: "{{ packages.tmux.name }}"
{% set codename = grains["oscodename"] %}
{% for name, settings in packages.items() %}
{{ name }}:
pkg.{{ "latest" if settings.get("latest") else "installed" }}:
- name: {{ settings.name | yaml_dquote }}
{% if settings.get("version") %}
- version: {{ settings.get("version") | yaml_dquote }}
{% endif %}
{% if settings.get("triggers", {}).get("reload") %}
- reload_modules: true
{% endif %}
{% if settings.get("triggers", {}).get("pkg_refresh") %}
- refresh: true
{% endif %}
{% if codename in settings.get("source_for", {}) and settings["source_for"][codename] %}
- fromrepo: {{ settings["source_for"][codename] | yaml_dquote }}
{% endif %}
{% if settings.get("then") %}
cmd.run:
- name: {{ settings["then"] | yaml_dquote }}
{% endif %}
{% endfor %}

10
base/pip_packages.yaml
Unescape View File

@ -0,0 +1,10 @@
---
pip:
require: ">=19.0.0"
py2_name: python-pip
py3_name: python3-pip
python_requests:
name: python-requests
python3_requests:
name: python3-requests

2
base/python.sls
Unescape View File

@ -1,6 +1,6 @@
---
{% from "base/map.jinja" import packages with context %}
{% from "base/map.jinja" import pip_pkgs as packages with context %}
fetch pip bootstrap:
file.managed:

19
base/repositories.sls
Unescape View File

@ -1,20 +1,13 @@
---
debian strech backports:
pkgrepo.managed:
- humanname: debian-stretch-backports
- name: deb http://ftp.debian.org/debian stretch-backports main contrib non-free
- dist: stretch-backports
- file: /etc/apt/sources.list.d/debian-stretch-backports.list
- onchanges_in:
- module: refresh package database
{% set codename = grains["oscodename"] -%}
debian stretch backports sloppy:
debian {{ codename }} backports:
pkgrepo.managed:
- humanname: debian-stretch-backports-sloppy
- name: deb http://ftp.debian.org/debian stretch-backports-sloppy main contrib non-free
- dist: stretch-backports-sloppy
- file: /etc/apt/sources.list.d/debian-stretch-backports-sloppy.list
- humanname: debian-{{ codename }}-backports
- name: deb http://deb.debian.org/debian {{ codename }}-backports main contrib non-free
- dist: {{ codename }}-backports
- file: /etc/apt/sources.list.d/debian-{{ codename }}-backports.list
- onchanges_in:
- module: refresh package database

21
ci/pipeline.yml
Unescape View File

@ -52,7 +52,28 @@ resources:
form_data:
.: (( inject meta.request.form_data ))
- name: commons
type: git
icon: git
source:
.: (( inject meta.upstream.commons ))
jobs:
- name: "kitchen-integration-debian"
serial_groups: [kitchen]
public: true
plan:
- get: commons
- get: states
trigger: true
- task: "run-kitchen-integration-debian"
file: (( grab meta.tasks.kitchen ))
privileged: true
params:
PLATFORM: debian
input_mapping:
formula: states
- name: update-states
public: false
plan:

15
ci/settings.yml
Unescape View File

@ -12,4 +12,17 @@ meta:
password: ((glow_registry_ci.password))
saltbox:
secret: ((saltbox.webhook_secret))
secret: ((saltbox.webhook_secret))
formula:
source:
uri: https://glow.dev.maio.me/saltbox-formulas/states.git
branch: master
tasks:
kitchen: commons/tasks/kitchen/kitchen.yml
upstream:
commons:
uri: "https://glow.dev.maio.me/containers/commons.git"
branch: "master"

99
fwrules/chains/concourse_worker.sls
Unescape View File

@ -0,0 +1,99 @@
#!pydsl
state("concourse_worker ipv4 chain").iptables.chain_present(
"concourse_worker",
family="ipv4",
)
state("concourse_worker ipv6 chain").iptables.chain_present(
"concourse_worker",
family="ipv6",
)
addresses_v4 = ["107.155.67.64/29"]
addresses_v6 = ["2604:880:396::/48"]
for address in addresses_v4:
# SSH
state("ssh ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=22,
)
# Concourse worker
state("concourse-atc ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7777,
)
state("concourse-baggageclaim ipv4 " + address).append(
table="filter",
family="ipv4",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7778,
)
for address in addresses_v6:
# SSH
state("ssh ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7777,
)
# Concourse private
state("concourse-atc ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7777,
)
state("concourse-baggageclaim ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="concourse_worker",
source=address,
protocol="tcp",
match="tcp",
dport=7778,
)
state("concourse_worker ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="concourse_worker",
jump="concourse_worker",
)
state("concourse_worker ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="concourse_worker",
jump="concourse_worker",
)

45
fwrules/chains/elasticsearch_cluster_private.sls
Unescape View File

@ -0,0 +1,45 @@
#!pydsl
state("es-ingest ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
source="10.1.0.0/24",
protocol="tcp",
match="tcp",
dport=9200,
)
state("es-transport ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
source="10.1.0.0/24",
protocol="tcp",
match="tcp",
dport=9300,
)
addresses_v4 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv4")
for address in addresses_v4:
state("es-ingest ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
source=address,
protocol="tcp",
match="tcp",
dport=9200,
)
addresses_v6 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv6")
for address in addresses_v6:
state("es-ingest ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
source=address,
protocol="tcp",
match="tcp",
dport=9200,
)

56
fwrules/chains/elasticsearch_exporter_private.sls
Unescape View File

@ -0,0 +1,56 @@
#!pydsl
state("elasticsearch_exporter_private ipv4 chain").iptables.chain_present(
"elasticsearch_exporter_private",
family="ipv4",
)
state("elasticsearch_exporter_private ipv6 chain").iptables.chain_present(
"elasticsearch_exporter_private",
family="ipv6",
)
addresses_v4 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv4")
for address in addresses_v4:
# Salt private
state("elasticsearch_exporter ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="elasticsearch_exporter_private",
source=address,
protocol="tcp",
match="tcp",
dport=9114,
)
addresses_v6 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv6")
for address in addresses_v6:
state("elasticsearch_exporter ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="elasticsearch_exporter_private",
source=address,
protocol="tcp",
match="tcp",
dport=9114,
)
state("elasticsearch_exporter_private ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="elasticsearch_exporter_private",
jump="elasticsearch_exporter_private",
)
state("elasticsearch_exporter_private ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="elasticsearch_exporter_private",
jump="elasticsearch_exporter_private",
)

54
fwrules/chains/http_public.sls
Unescape View File

@ -0,0 +1,54 @@
#!pydsl
families = [
("ipv4", ["0.0.0.0/0"]),
("ipv6", ["::/0"]),
]
ports = [
("http", 80),
("https", 443),
]
state("http_public ipv4 chain").iptables.chain_present(
"http_public",
family="ipv4",
)
state("http_public ipv6 chain").iptables.chain_present(
"http_public",
family="ipv6",
)
for family, addresses in families:
for address in addresses:
for protocol, port in ports:
state("{} {} {}".format(protocol, family, address)).iptables.append(
table="filter",
family=family,
chain="http_public",
source=address,
protocol="tcp",
match=["tcp", "comment"],
comment=protocol,
dport=port,
jump="ACCEPT",
)
state("http_public ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="http_public",
jump="http_public",
)
state("http_public ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="http_public",
jump="http_public",
)

100
fwrules/chains/management.sls
Unescape View File

@ -0,0 +1,100 @@
#!pydsl
import socket
from copy import copy
from salt.utils import network
pillar = __salt__["pillar.get"]
addresses_v4 = pillar("firewall:management:ipv4", [])
addresses_v6 = pillar("firewall:management:ipv6", [])
names = pillar("firewall:management:resolve_names", [])
public_addresses = __salt__.minion_net.public_addresses
# CI worker nodes need to be able to access everything
for address in public_addresses("app:builder", target_type="glob", addr_type="ipv4"):
addresses_v4.append(address)
for address in public_addresses("app:builder", target_type="glob", addr_type="ipv6"):
addresses_v6.append(address)
# Salt master needs to be able to access everything
for address in public_addresses("app:saltbox", target_type="glob", addr_type="ipv4"):
addresses_v4.append(address)
for address in public_addresses("app:saltbox", target_type="glob", addr_type="ipv6"):
addresses_v6.append(address)
# Resolve any names to add to the allow lists
for hostname in names:
mods = {}
if isinstance(hostname, dict):
hostname, mods = hostname.popitem()
print(hostname, mods)
widen_ipv6 = mods.get("widen_ipv6")
v4, v6 = __salt__.minion_net.resolve_hostname(hostname)
if widen_ipv6:
cv6 = copy(v6)
v6.clear()
for addr6 in cv6:
addr6 = __salt__.minion_net.strip_cidr(addr6)
v6.append(network.calc_net(addr6, widen_ipv6))
addresses_v4.extend(v4)
addresses_v6.extend(v6)
state("management ipv4 chain").iptables.chain_present(
"management",
family="ipv4",
)
state("management ipv6 chain").iptables.chain_present(
"management",
family="ipv6",
)
for address in addresses_v4:
state("ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="management",
source=address,
match=["comment"],
comment="management",
jump="ACCEPT",
)
for address in addresses_v6:
# SSH private
state("ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="management",
source=address,
match=["comment"],
comment="management",
jump="ACCEPT",
)
state("management ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="management",
jump="management",
)
state("management ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="management",
jump="management",
)

54
fwrules/chains/mqtt_public.sls
Unescape View File

@ -0,0 +1,54 @@
#!pydsl
families = [
("ipv4", ["0.0.0.0/0"]),
("ipv6", ["::/0"]),
]
ports = [
("mqtts-tcp", 4883),
("mqtts-ws", 4884),
]
state("mqtt_public ipv4 chain").iptables.chain_present(
"mqtt_public",
family="ipv4",
)
state("mqtt_public ipv6 chain").iptables.chain_present(
"mqtt_public",
family="ipv6",
)
for family, addresses in families:
for address in addresses:
for protocol, port in ports:
state("{} {} {}".format(protocol, family, address)).iptables.append(
table="filter",
family=family,
chain="mqtt_public",
source=address,
protocol="tcp",
match=["tcp", "comment"],
comment=protocol,
dport=port,
jump="ACCEPT",
)
state("mqtt_public ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="mqtt_public",
jump="mqtt_public",
)
state("mqtt_public ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="mqtt_public",
jump="mqtt_public",
)

55
fwrules/chains/node_exporter_private.sls
Unescape View File

@ -0,0 +1,55 @@
#!pydsl
state("node_exporter_private ipv4 chain").iptables.chain_present(
"node_exporter_private",
family="ipv4",
)
state("node_exporter_private ipv6 chain").iptables.chain_present(
"node_exporter_private",
family="ipv6",
)
addresses_v4 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv4")
for address in addresses_v4:
# Salt private
state("node_exporter ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="node_exporter_private",
source=address,
protocol="tcp",
match="tcp",
dport=9100,
)
addresses_v6 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv6")
for address in addresses_v6:
state("node_exporter ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="node_exporter_private",
source=address,
protocol="tcp",
match="tcp",
dport=9100,
)
state("node_exporter_private ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="node_exporter_private",
jump="node_exporter_private",
)
state("node_exporter_private ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="node_exporter_private",
jump="node_exporter_private",
)

76
fwrules/chains/salt_private.sls
Unescape View File

@ -0,0 +1,76 @@
#!pydsl
state("salt_private ipv4 chain").iptables.chain_present(
"salt_private",
family="ipv4",
)
state("salt_private ipv6 chain").iptables.chain_present(
"salt_private",
family="ipv6",
)
addresses_v4 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv4")
for address in addresses_v4:
# Salt private
state("salt-publish ipv4 " + address).iptables.append(
table="filter",
family="ipv4",
chain="salt_private",
source=address,
protocol="tcp",
match="tcp",
dport=4505,
)
state("salt-return ipv4 " + address).append(
table="filter",
family="ipv4",
chain="salt_private",
source=address,
protocol="tcp",
match="tcp",
dport=4506,
)
addresses_v6 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv6")
for address in addresses_v6:
# Salt private
state("salt-publish ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="salt_private",
source=address,
protocol="tcp",
match="tcp",
dport=4505,
)
state("salt-return ipv6 " + address).iptables.append(
table="filter",
family="ipv6",
chain="salt_private",
source=address,
protocol="tcp",
match="tcp",
dport=4506,
)
state("salt_private ipv4 input chain").iptables.append(
table="filter",
family="ipv4",
chain="INPUT",
match="comment",
comment="salt_private",
jump="salt_private",
)
state("salt_private ipv6 input chain").iptables.append(
table="filter",
family="ipv6",
chain="INPUT",
match="comment",
comment="salt_private",
jump="salt_private",
)

88
fwrules/init.sls
Unescape View File

@ -0,0 +1,88 @@
#!pydsl
defaults = __salt__["pillar.get"]("firewall:defaults", {})
defaults.setdefault("allow_loopback", True)
defaults.setdefault("conntrack", True)
input_policy = __salt__["pillar.get"]("firewall:policies:INPUT", "DROP")
forward_policy = __salt__["pillar.get"]("firewall:policies:FORWARD", "DROP")
output_policy = __salt__["pillar.get"]("firewall:policies:OUTPUT", "ACCEPT")
state("default v4 input " + input_policy).iptables.set_policy(
table="filter",
family="ipv4",
chain="INPUT",
policy=input_policy,
)
state("default v4 forward " + forward_policy).iptables.set_policy(
table="filter",
family="ipv4",
chain="FORWARD",
policy=forward_policy,
)
state("default v4 output " + output_policy).iptables.set_policy(
table="filter",
family="ipv4",
chain="OUTPUT",
policy=output_policy,
)
state("default v6 input " + input_policy).iptables.set_policy(
table="filter",
family="ipv6",
chain="INPUT",
policy=input_policy,
)
state("default v6 forward " + forward_policy).iptables.set_policy(
table="filter",
family="ipv6",
chain="FORWARD",
policy=forward_policy,
)
state("default v6 output " + output_policy).iptables.set_policy(
table="filter",
family="ipv6",
chain="OUTPUT",
policy=output_policy,
)
if defaults["conntrack"]:
state("conntrack ipv4").iptables.append(
table="filter",
chain="INPUT",
family="ipv4",
match=["conntrack"],
ctstate="RELATED,ESTABLISHED",
jump="ACCEPT",
)
state("conntrack ipv6").iptables.append(
table="filter",
chain="INPUT",
family="ipv6",
match=["conntrack"],
ctstate="RELATED,ESTABLISHED",
jump="ACCEPT",
)
if defaults["allow_loopback"]:
state("loopback ipv4").iptables.append(
table="filter",
chain="INPUT",
family="ipv4",
source="127.0.0.0/8",
jump="ACCEPT",
)
state("loopback ipv6").iptables.append(
table="filter",
chain="INPUT",
family="ipv6",
source="::1/128",
jump="ACCEPT",
)

101
kitchen.ci.yml
Unescape View File

@ -0,0 +1,101 @@
---
driver:
name: docker
transport:
name: docker
driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd
cap_add:
- CAP_SYS_ADMIN
verifier:
name: inspec
sudo: true
reporter:
- cli
platforms:
- name: debian-9
driver_config:
image: debian:9
provision_command:
- apt-get install -y python3-pip git
- pip3 install pytoml
provisioner:
name: salt_solo
require_chef: false
state_collection: .
is_file_root: true
# Salt-solo installation options
salt_install: bootstrap
salt_version: latest
salt_bootstrap_options: "-x python3"
salt_copy_filter:
- .git
- .kitchen
dependencies:
- name: openssh
repo: git
source: https://github.com/saltstack-formulas/openssh-formula.git
# Provision with states
state_top:
base:
'*':
- base.files
- base.repositories
- base.packages
- base.python
- base.sshd
- base.unattended_upgrades
- fwrules
pillars:
top.sls:
base:
'*':
- firewall
firewall.sls:
firewall:
defaults:
conntrack: false
policies:
INPUT: ACCEPT
FORWARD: DROP
OUTPUT: ACCEPT
management:
ipv4:
- "107.155.67.64/29"
ipv6:
- "2604:880:396::/48"
resolve_names:
- "adephagia.synology.me":
widen_ipv6: 64
suites:
- name: default
provisioner:
state_top:
base:
'*':
- base.files
- base.repositories
- base.packages
- base.python
- base.sshd
- base.unattended_upgrades
- fwrules
- fwrules.chains.management
- fwrules.chains.minion_access
- fwrules.chains.http_public
- fwrules.chains.mqtt_public
pillars: {}

86
kitchen.yml
Unescape View File

@ -0,0 +1,86 @@
---
driver:
name: vagrant
verifier:
name: inspec
sudo: true
reporter:
- cli
platforms:
- name: debian-9
driver:
box: generic/debian9
provisioner:
name: salt_solo
require_chef: false
state_collection: .
is_file_root: true
# Salt-solo installation options
salt_install: bootstrap
salt_version: latest
salt_copy_filter:
- .git
- .kitchen
dependencies:
- name: openssh
repo: git
source: https://github.com/saltstack-formulas/openssh-formula.git
# Provision with states
state_top:
base:
'*':
- base.files
- base.repositories
- base.packages
- base.python
- base.sshd
- base.unattended_upgrades
- fwrules
pillars:
top.sls:
base:
'*':
- firewall
firewall.sls:
firewall:
defaults:
conntrack: false
policies:
INPUT: ACCEPT
FORWARD: DROP
OUTPUT: ACCEPT
management:
ipv4:
- "107.155.67.64/29"
ipv6:
- "2604:880:396::/48"