iptables: clean up osbuild and add a external block set scaffolding

Setup osbuild so it only needs to exist on the specific builders in the osbuild channel, not all builders. Also, setup things so we can add a blocklist that will block external subnets/ip's if we need to do so. Currently it should just be an empty set, but we can implement it as needed/desired starting with the ips we already were blocking on just some hosts. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-06-27 23:57:02 +08:00 · 2023-06-26 12:38:37 -07:00
parent 7c6fe8c5b8
commit 679f7f6f16
13 changed files with 81 additions and 7 deletions
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@@ -20,6 +20,10 @@ clamscan_paths:
  - /srv/cache/lookaside/pkgs
 # We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
 # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
+#
+# This host is externally reachable
+#
+external: true
 fedmsg_active: True
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs: