WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-03-19 19:46:38 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
369056132af641ad203c7e60ed8a77db93a9b663
fedora-infra_ansible/inventory/group_vars/bastion_stg
Nils Philippsen 6c85fda0c9 Mass remove/replace iad2 -> rdu3, 10.3. -> 10.16. 
Signed-off-by: Nils Philippsen <nils@redhat.com>
2025-07-03 20:05:02 +02:00

57 lines
2.0 KiB
Plaintext
Raw Blame History

---
# Define resources for this group of hosts here.
bastion_ipa_client_shell_groups:
- pungi-devel
- sysadmin-analysis
- sysadmin-dba
- sysadmin-ppc
- sysadmin-secondary
- sysadmin-spin
- sysadmin-troubleshoot
# this only works if the `batcave_stg` group and at least one host in it is defined
# batcave_ipa_client_shell_groups: "{{ hostvars[groups['batcave_stg'][0]]['ipa_client_shell_groups'] | default([]) }}"
batcave_ipa_client_shell_groups: []
# These variables are pushed into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
#
# drop incoming traffic from less trusted vpn hosts
# allow ntp from internal RH 10 nets
#
custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
nft_block_rules:
- 'add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited'
- 'add rule ip filter INPUT ip saddr 10.0.0.0/8 udp dport 123 counter accept'
#
# Set this to get fasjson-client cron to make the aliases file
#
fasjson_aliases: true
ipa_client_shell_groups: "{{ (bastion_ipa_client_shell_groups + batcave_ipa_client_shell_groups) | sort | unique }}"
#
# allow a bunch of sysadmin groups here so they can access internal stuff
#
ipa_host_group: bastion
ipa_host_group_desc: Bastion hosts
lvm_size: 20000
mem_size: 8192
nagios_Check_Services:
mail: false
nrpe: true
nrpe_procs_crit: 1200
#
# Sometimes there are lots of postfix processes
#
nrpe_procs_warn: 1100
num_cpus: 4
#
# allow incoming openvpn and smtp
#
tcp_ports: [22, 25, 1194]
udp_ports: [1194]
notes: |
SSH proxy to access STAGING infrastructure not exposed to the web
* Provides ssh access to all rdu3/vpn connected servers.
* Bastion is the hub for all infrastructure's VPN connections.
* All incoming SMTP from rdu3 and VPN, as well as outgoing SMTP, pass or are filtered here.
* Bastion does not accept any mail outside phx2/vpn.
Reference in New Issue View Git Blame Copy Permalink