stove/dataset
3
0
Fork 1
Code Issues 2 Pull requests Projects Releases Wiki Activity

manage firewall for host

Browse source
This commit is contained in:
Emmanuel Garette 2022-06-29 11:44:01 +02:00
parent 3f631b1d5b
commit 41c8b44bd1
34 changed files with 71 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
seed/applicationservice/2022.03.08/base-debian/applicationservice.yml
View file

@ -1,5 +1,5 @@
format: '0.1' format: '0.1'
description: Information de base d'un serveur Debian description: Information de base d'un serveur Debian
depends: depends:
- base - base-machine
- systemd - systemd

2
seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml
View file

@ -1,5 +1,5 @@
format: '0.1' format: '0.1'
description: Information de base d'un serveur Fedora description: Information de base d'un serveur Fedora
depends: depends:
- base - base-machine
- systemd - systemd

1
seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service
View file

@ -8,4 +8,3 @@ ExecStart=/usr/bin/update-ca-trust
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

4
seed/applicationservice/2022.03.08/base-machine/applicationservice.yml Normal file
View file

@ -0,0 +1,4 @@
format: '0.1'
description: Base information for a machine
depends:
- base

2
seed/applicationservice/2022.03.08/base/dictionaries/12-base.xml → seed/applicationservice/2022.03.08/base-machine/dictionaries/12-base.xml
View file

@ -46,8 +46,6 @@
</fill> </fill>
<fill name="get_ip"> <fill name="get_ip">
<param name="server_name" type="information">server_name</param> <param name="server_name" type="information">server_name</param>
<param name="zones_name" type="information">zones_name</param>
<param name="index" type="suffix"/>
<target>ip_eth</target> <target>ip_eth</target>
</fill> </fill>
<!-- Return "server_name" only for domain_name_eth0 --> <!-- Return "server_name" only for domain_name_eth0 -->

0
seed/applicationservice/2022.03.08/base/doc.md → seed/applicationservice/2022.03.08/base-machine/doc.md
View file

0
seed/applicationservice/2022.03.08/base/extras/machine/00_base.xml → seed/applicationservice/2022.03.08/base-machine/extras/machine/00_base.xml
View file

13
seed/applicationservice/2022.03.08/base/funcs/funcs.py → seed/applicationservice/2022.03.08/base-machine/funcs/funcs.py
View file

@ -1,5 +1,4 @@
import __main__ import __main__
from typing import List
from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
from string import ascii_letters as _ascii_letters from string import ascii_letters as _ascii_letters
from random import choice as _choice from random import choice as _choice
@ -7,7 +6,7 @@ from os.path import dirname as _dirname, abspath as _abspath, join as _join, isf
from os import makedirs as _makedirs from os import makedirs as _makedirs
from risotto.utils import load_domains, DOMAINS, ZONES_SERVER from risotto.utils import ZONES_SERVER
_HERE = _dirname(_abspath(__main__.__file__)) _HERE = _dirname(_abspath(__main__.__file__))
@ -103,16 +102,6 @@ def get_domain_name(server_name: str,
return extra_domainnames[index - 1] return extra_domainnames[index - 1]
def get_ip(server_name: str,
zones_name: List[str],
index: str,
) -> str:
load_domains()
host_name, domain_name = server_name.split('.', 1)
domain = DOMAINS[domain_name]
return domain[1][domain[0].index(host_name)]
def get_provider_name(network_name: str, def get_provider_name(network_name: str,
provider: str, provider: str,
) -> str: ) -> str:

0
seed/applicationservice/2022.03.08/base/manual/install/config.sh → seed/applicationservice/2022.03.08/base-machine/manual/install/config.sh
View file

0
seed/applicationservice/2022.03.08/base/manual/install/config_machine.sh → seed/applicationservice/2022.03.08/base-machine/manual/install/config_machine.sh
View file

0
seed/applicationservice/2022.03.08/base/manual/install/diff.py → seed/applicationservice/2022.03.08/base-machine/manual/install/diff.py
View file

0
seed/applicationservice/2022.03.08/base/manual/install/install_host → seed/applicationservice/2022.03.08/base-machine/manual/install/install_host
View file

0
seed/applicationservice/2022.03.08/base/manual/install/install_image → seed/applicationservice/2022.03.08/base-machine/manual/install/install_image
View file

0
seed/applicationservice/2022.03.08/base/manual/install/install_images → seed/applicationservice/2022.03.08/base-machine/manual/install/install_images
View file

0
seed/applicationservice/2022.03.08/base/manual/install/install_machine → seed/applicationservice/2022.03.08/base-machine/manual/install/install_machine
View file

0
seed/applicationservice/2022.03.08/base/manual/install/install_machines → seed/applicationservice/2022.03.08/base-machine/manual/install/install_machines
View file

0
seed/applicationservice/2022.03.08/base/manual/install/make_changelog → seed/applicationservice/2022.03.08/base-machine/manual/install/make_changelog
View file

0
seed/applicationservice/2022.03.08/base/manual/install/make_volatile → seed/applicationservice/2022.03.08/base-machine/manual/install/make_volatile
View file

0
seed/applicationservice/2022.03.08/base/templates/locale.conf → seed/applicationservice/2022.03.08/base-machine/templates/locale.conf
View file

2
seed/applicationservice/2022.03.08/base/applicationservice.yml
View file

@ -1,2 +1,2 @@
format: '0.1' format: '0.1'
description: Information de base d'un serveur description: Base

9
seed/applicationservice/2022.03.08/base/funcs/base.py Normal file
View file

@ -0,0 +1,9 @@
from typing import List
from risotto.utils import load_domains, DOMAINS
def get_ip(server_name: str) -> str:
load_domains()
host_name, domain_name = server_name.split('.', 1)
domain = DOMAINS[domain_name]
return domain[1][domain[0].index(host_name)]

2
seed/applicationservice/2022.03.08/dovecot/dictionaries/26_dovecot.xml
View file

@ -51,7 +51,7 @@
</services> </services>
<variables> <variables>
<family name="network"> <family name="network">
<variable name="external_ports" redefine="True"> <variable name="incoming_ports" redefine="True">
<value>587</value> <value>587</value>
<value>993</value> <value>993</value>
</variable> </variable>

2
seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
View file

@ -10,7 +10,7 @@
</services> </services>
<variables> <variables>
<family name="network"> <family name="network">
<variable name="external_ports" redefine="True"> <variable name="incoming_ports" redefine="True">
<value>2222</value> <value>2222</value>
</variable> </variable>
</family> </family>

2
seed/applicationservice/2022.03.08/host-systemd-machined/applicationservice.yml
View file

@ -1,2 +1,4 @@
format: '0.1' format: '0.1'
description: Configure Systemd Machined description: Configure Systemd Machined
depends:
- base

2
seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml
View file

@ -8,6 +8,8 @@
<file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file> <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
<file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file> <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
</service> </service>
<service name="risottofirewall" engine="creole" target="multi-user">
</service>
<service name="systemd-nspawn@"> <service name="systemd-nspawn@">
<file>/tmpfiles.d/0asystemd-nspawn.conf</file> <file>/tmpfiles.d/0asystemd-nspawn.conf</file>
<file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file> <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>

2
seed/applicationservice/2022.03.08/host-systemd-machined/doc.md
View file

@ -2,7 +2,7 @@ Providers
========= =========
- machines : nom de domaine des machines (au sens systemd-machined) exécuté sur l'hôte (c'est une variable multiple). Cette variable est une variable meneuse, les variables suivantes sont des variables suiveuses. - machines : nom de domaine des machines (au sens systemd-machined) exécuté sur l'hôte (c'est une variable multiple). Cette variable est une variable meneuse, les variables suivantes sont des variables suiveuses.
- external_ports : ports rendu accessible depuis l'extérieur (cette variable est multiple). - incoming_ports : ports rendu accessible depuis l'extérieur (cette variable est multiple).
- machine_srv : répertoire contenant le répertoire /srv de la machine (cette variable n'est pas obligatoire). - machine_srv : répertoire contenant le répertoire /srv de la machine (cette variable n'est pas obligatoire).
- marchine_journal : répertoire contenant le répertoire /var/log/journal de la machine. - marchine_journal : répertoire contenant le répertoire /var/log/journal de la machine.
- machine_config : répertoire contenant le répertoire /usr/local/lib de la machine. - machine_config : répertoire contenant le répertoire /usr/local/lib de la machine.

3
seed/applicationservice/2022.03.08/host-systemd-machined/extras/machined/00-machined.xml
View file

@ -9,7 +9,8 @@
<variables> <variables>
<variable name="machines" description="Machines started in this host" type="domainname" multi="True" provider="machines"/> <variable name="machines" description="Machines started in this host" type="domainname" multi="True" provider="machines"/>
<family name="machine_" description="Machine " dynamic="machined.machines"> <family name="machine_" description="Machine " dynamic="machined.machines">
<variable name="external_ports_" description="External ports for " hidden="True" type="port" multi="True" provider="external_ports"/> <variable name="incoming_ports_" description="Incomming external ports for " hidden="True" type="port" multi="True" provider="incoming_ports"/>
<variable name="outgoing_ports_" description="Outcoming external ports for " hidden="True" type="port" multi="True" provider="outgoing_ports"/>
<variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="machine_srv"/> <variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="machine_srv"/>
<variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="machine_journal"/> <variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="machine_journal"/>
<variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="machine_config" mandatory="True"/> <variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="machine_config" mandatory="True"/>

2
seed/applicationservice/2022.03.08/host-systemd-machined/templates/nspawn
View file

@ -23,6 +23,6 @@ VirtualEthernetExtra=%%intname[:15]:host%%idx
%end if %end if
%end for %end for
%end if %end if
%for %%port in %%container['external_ports_' + %%name] %for %%port in %%container['incoming_ports_' + %%name]
Port=tcp:%%port:%%port Port=tcp:%%port:%%port
%end for %end for

24
seed/applicationservice/2022.03.08/host-systemd-machined/templates/risottofirewall.service Normal file
View file

@ -0,0 +1,24 @@
[Unit]
Description=Firewall for Risotto
After=network.target
[Service]
Type=oneshot
%for %%dns in %%machined.machines
%set %%machine = %%normalize_family(%%dns)
%set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
%if %%outgoing
%for %%port in %%outgoing
%if ':' in %%port
%set %%protocol, %%port = %%port.split(':')
%else
%set %%protocol = 'tcp'
%end if
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o enp3s0 -j MASQUERADE
ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o enp3s0 -j MASQUERADE
%end for
%end if
%end for
[Install]
WantedBy=multi-user.target

2
seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
View file

@ -11,7 +11,7 @@
</services> </services>
<variables> <variables>
<family name="network"> <family name="network">
<variable name="external_ports" redefine="True"> <variable name="incoming_ports" redefine="True">
<value>80</value> <value>80</value>
<value>443</value> <value>443</value>
</variable> </variable>

5
seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
View file

@ -34,7 +34,10 @@
<variables> <variables>
<family name="network"> <family name="network">
<variable name="dns_client_address" redefine="True"/> <variable name="dns_client_address" redefine="True"/>
<variable name="external_ports" redefine="True"> <variable name="outgoing_ports" redefine="True">
<value>25</value>
</variable>
<variable name="incoming_ports" redefine="True">
<value>25</value> <value>25</value>
</variable> </variable>
</family> </family>

13
seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/16-machined.xml
View file

@ -26,7 +26,8 @@
<value>False</value> <value>False</value>
</variable> </variable>
<family name="network"> <family name="network">
<variable name="external_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True"/> <variable name="incoming_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True"/>
<variable name="outgoing_ports" type="port" description="Ports autorisés vers l'extérieur" multi="True"/>
<variable name="netwokd_interface_name_type" redefine="True"> <variable name="netwokd_interface_name_type" redefine="True">
<value>host</value> <value>host</value>
</variable> </variable>
@ -65,9 +66,15 @@
</check> </check>
<check name="set_linked_configuration"> <check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param> <param name="linked_server" type="variable">host</param>
<param name="linked_provider">external_ports</param> <param name="linked_provider">incoming_ports</param>
<param name="dynamic" type="variable">domain_name_eth0</param> <param name="dynamic" type="variable">domain_name_eth0</param>
<target>external_ports</target> <target>incoming_ports</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param>
<param name="linked_provider">outgoing_ports</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>outgoing_ports</target>
</check> </check>
<check name="set_linked_configuration"> <check name="set_linked_configuration">
<param name="linked_server" type="variable">host</param> <param name="linked_server" type="variable">host</param>

2
seed/applicationservice/2022.03.08/systemd/applicationservice.yml
View file

@ -1,4 +1,4 @@
format: '0.1' format: '0.1'
description: Configuration de systemd description: Configuration de systemd
depends: depends:
- base - base-machine

4
seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
View file

@ -19,6 +19,10 @@
<family name="network"> <family name="network">
<variable name="dns_client_address" redefine="True" disabled="True"/> <variable name="dns_client_address" redefine="True" disabled="True"/>
<variable name="ip_dns" redefine="True" remove_fill="True"/> <variable name="ip_dns" redefine="True" remove_fill="True"/>
<variable name="outgoing_ports" redefine="True">
<value>udp:53</value>
<value>53</value>
</variable>
</family> </family>
<family name='dns_resolver' description='Résolveur DNS'> <family name='dns_resolver' description='Résolveur DNS'>
<variable name="unbound_allowed_client" type="ip" description="Réseau des clients autorisés à faire des requêtes DNS" multi="True" mandatory="True" provider="dns"/> <variable name="unbound_allowed_client" type="ip" description="Réseau des clients autorisés à faire des requêtes DNS" multi="True" mandatory="True" provider="dns"/>