WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-03-20 03:57:02 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
80aa4bbbc2ec45c0ea6f6f3b5e36191273ac1677
fedora-infra_ansible/inventory/group_vars/proxies
James Antill 80aa4bbbc2 Initial version of iptables to nftables conversion.
2025-01-16 11:28:24 -05:00

116 lines
6.1 KiB
Plaintext
Raw Blame History

---
# Define resources for this group of hosts here.
blocked_ip_v6: []
blocked_ips: ['14.102.69.78', '104.219.54.236', '103.38.177.2', '110.172.140.98', '183.80.131.253', '113.190.178.137', '115.76.39.108', '116.109.31.204', '209.64.155.56']
collectd_apache: true
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Provides frontend (reverse) proxy for most web applications
csi_relationship: |
Using Apache -> haproxy, these hosts contact app servers and
other various hosts to provide web applications at sites like
fedoraproject.org and admin.fedoraproject.org. The proxy servers are
balanced via dns and geoIP and are spread all over the place.
# For the MOTD
csi_security_category: Moderate
custom_rules: [
# Need for rsync from log01 for logs.
'-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 873 -j ACCEPT',
# allow varnish from localhost
'-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 6082 -j ACCEPT',
# also allow varnish from internal for purge requests
'-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 6081 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.0/24 --dport 6081 -j ACCEPT',
# Allow happinesspackets.fedorainfracloud.org to talk to inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.58 -j ACCEPT',
# Allow openqa01 to talk to the inbound fedmsg relay.
'-A INPUT -p tcp -m tcp --dport 9941 -s 10.3.174.0/24 -j ACCEPT',
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
nft_custom_rules:
# Need for rsync from log01 for logs.
- 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept'
- 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
- 'add rule ip filter INPUT ip saddr 209.132.181.102 tcp dport 873 counter accept'
# allow varnish from localhost
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept'
- 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept'
# also allow varnish from internal for purge requests
- 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.0/24 tcp dport 6081 counter accept'
# Allow happinesspackets.fedorainfracloud.org to talk to inbound fedmsg relay.
- 'add rule ip filter INPUT ip saddr 209.132.184.58 tcp dport 9941 counter accept'
# Allow openqa01 to talk to the inbound fedmsg relay.
- 'add rule ip filter INPUT ip saddr 10.3.174.0/24 tcp dport 9941 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.120 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.121 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.122 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.123 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.124 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.125 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.126 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.65 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.127 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.128 tcp dport 22623 counter accept'
- 'add rule ip filter INPUT ip saddr 10.3.163.129 tcp dport 22623 counter accept'
external: true
ipa_client_shell_groups:
- fi-apprentice
- sysadmin-noc
- sysadmin-veteran
- sysadmin-web
ipa_client_sudo_groups:
- sysadmin-web
ipa_host_group: proxies
ipa_host_group_desc: Proxies between internal hosts and the Internet
lvm_size: 100000
# This is used in the httpd.conf to determine the value for serverlimit and
# maxrequestworkers. On 8gb proxies, 900 seems fine. But on 4gb proxies, this
# should be lowered in the host vars for that proxy.
maxrequestworkers: 2500
mem_size: 8192
nagios_Check_Services:
swap: false
num_cpus: 6
ocp_masters:
#- bootstrap.ocp.iad2.fedoraproject.org
- ocp01.ocp.iad2.fedoraproject.org
- ocp02.ocp.iad2.fedoraproject.org
- ocp03.ocp.iad2.fedoraproject.org
# we override this here to point to the vpn endpoints of the ocp_nodes instead of
# The real internal hostnames. This is because proxies access them via vpn.
ocp_nodes:
- worker01.vpn.fedoraproject.org
- worker02.vpn.fedoraproject.org
- worker03.vpn.fedoraproject.org
- worker04.vpn.fedoraproject.org
- worker05.vpn.fedoraproject.org
- worker06.vpn.fedoraproject.org
postvpnservices:
- haproxy
- varnish
primary_auth_source: ipa
tcp_ports: [
# For apache, generally.
80, 443,
# This is for TCP krb5
1088,
# This is for RabbitMQ public access
5671,
# openshift 4 api
6443,
# This is for RabbitMQ internal-public access
15671,
# This is for TOTP
8443,
# For fedmsg websocket server over stunnel
9939,
# For fedmsg raw zeromq socket (outbound)
9940,
# 9941 is closed generally, is for the inbound fedmsg and is covered in
# custom_rules
]
varnish_group: proxies
zabbix_templates:
- group: "proxies" # Ansible group
template: "external_hosts_http.json" # Template name in roles/zabbix/zabbix_templates/files/templatename.json
custom_template: true # Is the template official template bundled with Zabbix or one of our custom templates
hostgroup: "fedora external hosts" # Zabbix hostgroup
Reference in New Issue View Git Blame Copy Permalink