WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-01 14:02:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7aa7553b84af5dc8efa78e9d8a4e50dde369052d
fedora-infra_ansible/inventory/group_vars/proxies
Kevin Fenzi 03656f0288 proxies / rdu3: make most proxies use vpn but rdu3 goes direct 
We need this because the cluster needs to be able to access api in order
to pull images, etc. So, in rdu3 proxies we go direct to the cluster
nodes, but in all the other proxies we go via the vpn.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2025-06-16 15:42:12 -07:00

168 lines
9.2 KiB
Plaintext
Raw Blame History

---
# Define resources for this group of hosts here.
blocked_ip_v6: []
blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56']
collectd_apache: true
# For the MOTD
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
# allow varnish from localhost
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
# also allow varnish from internal for purge requests
'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.0/24 --dport 6081 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.120 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.121 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.122 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.123 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.124 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.125 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.126 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.65 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.127 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.128 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.16.163.129 -j ACCEPT']
nft_block_rules:
- 'add rule ip filter INPUT ip saddr 81.69.171.38 counter reject'
- 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject'
- 'add rule ip filter INPUT ip saddr 47.76.0.0/14 counter reject'
- 'add rule ip filter INPUT ip saddr 47.80.0.0/13 counter reject'
- 'add rule ip filter INPUT ip saddr 47.74.0.0/15 counter reject'
- 'add rule ip filter INPUT ip saddr 66.249.64.0/24 counter reject'
- 'add rule ip filter INPUT ip saddr 43.134.64.0/18 counter reject'
- 'add rule ip filter INPUT ip saddr 43.134.0.0/18 counter reject'
- 'add rule ip filter INPUT ip saddr 43.134.224.0/19 counter reject'
- 'add rule ip filter INPUT ip saddr 43.159.41.0/24 counter reject'
- 'add rule ip filter INPUT ip saddr 43.163.8.0/24 counter reject'
- 'add rule ip filter INPUT ip saddr 43.128.64.0/18 counter reject'
- 'add rule ip filter INPUT ip saddr 43.156.0.0/18 counter reject'
- 'add rule ip filter INPUT ip saddr 43.128.64.0/18 counter reject'
- 'add rule ip filter INPUT ip saddr 43.133.32.0/19 counter reject'
- 'add rule ip filter INPUT ip saddr 43.134.128.0/18 counter reject'
- 'add rule ip filter INPUT ip saddr 43.159.37.0/24 counter reject'
- 'add rule ip filter INPUT ip saddr 43.153.192.0/18 counter reject'
- 'add rule ip filter INPUT ip saddr 43.159.32.0/24 counter reject'
- 'add rule ip filter INPUT ip saddr 43.156.64.0/18 counter reject'
- 'add rule ip filter INPUT ip saddr 43.163.0.0/24 counter reject'
- 'add rule ip filter INPUT ip saddr 14.153.15.174 counter reject'
- 'add rule ip filter INPUT ip saddr 47.246.0.0/16 counter reject'
- 'add rule ip filter INPUT ip saddr 47.236.0.0/14 counter reject'
- 'add rule ip filter INPUT ip saddr 47.235.0.0/16 counter reject'
- 'add rule ip filter INPUT ip saddr 47.240.0.0/14 counter reject'
- 'add rule ip filter INPUT ip saddr 47.244.0.0/15 counter reject'
nft_custom_rules:
# Need for rsync from log01 for logs.
- 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept'
- 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
- 'add rule ip filter INPUT ip saddr 209.132.181.102 tcp dport 873 counter accept'
# allow varnish from localhost
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept'
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept'
# also allow varnish from internal for purge requests
- 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.0/24 tcp dport 6081 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.120 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.121 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.122 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.123 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.124 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.125 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.126 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.65 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.127 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.128 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.129 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.120 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.121 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.122 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.123 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.124 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.125 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.126 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.65 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.127 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.128 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.16.163.129 tcp dport 22623 counter accept'
external: true
ipa_client_shell_groups:
- fi-apprentice
- sysadmin-noc
- sysadmin-veteran
- sysadmin-web
ipa_client_sudo_groups:
- sysadmin-web
ipa_host_group: proxies
ipa_host_group_desc: Proxies between internal hosts and the Internet
lvm_size: 100000
# This is used in the httpd.conf to determine the value for serverlimit and
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this
# should be lowered in the host vars for that proxy.
maxrequestworkers: 2500
mem_size: 8192
nagios_Check_Services:
swap: false
num_cpus: 6
ocp_masters:
#- bootstrap.ocp.iad2.fedoraproject.org
- ocp01.ocp.iad2.fedoraproject.org
- ocp02.ocp.iad2.fedoraproject.org
- ocp03.ocp.iad2.fedoraproject.org
# we override this here to point to the vpn endpoints of the ocp_nodes instead of
# The real internal hostnames. This is because proxies access them via vpn.
ocp_nodes:
- worker01.vpn.fedoraproject.org
- worker02.vpn.fedoraproject.org
- worker03.vpn.fedoraproject.org
- worker04.vpn.fedoraproject.org
- worker05.vpn.fedoraproject.org
- worker06.vpn.fedoraproject.org
# On most proxies we want to use the vpn to access the rdu3 compute nodes.
# We override this for the rdu3 proxies themseleves, they go direct.
ocp_nodes_rdu3:
- worker01-rdu3.vpn.fedoraproject.org
- worker02-rdu3.vpn.fedoraproject.org
- worker03-rdu3.vpn.fedoraproject.org
- worker04-rdu3.vpn.fedoraproject.org
- worker05-rdu3.vpn.fedoraproject.org
postvpnservices:
- haproxy
- varnish
primary_auth_source: ipa
tcp_ports: [
# For apache, generally.
80, 443,
# This is for TCP krb5
1088,
# This is for RabbitMQ public access
5671,
# openshift 4 api
6443,
# This is for RabbitMQ internal-public access
15671,
# This is for TOTP
8443,
]
varnish_group: proxies
zabbix_templates:
- group: "proxies" # Ansible group
template: "external_hosts_http.json" # Template name in roles/zabbix/zabbix_templates/files/templatename.json
custom_template: true # Is the template official template bundled with Zabbix or one of our custom templates
hostgroup: "fedora external hosts" # Zabbix hostgroup
notes: |
* Provides frontend (reverse) proxy for most web applications
* Using Apache -> haproxy, these hosts contact app servers and other various hosts to provide web applications at sites like
fedoraproject.org and admin.fedoraproject.org.
* The proxy servers are balanced via dns and geoIP and are spread all over the place.
Reference in New Issue View Git Blame Copy Permalink