Mercurial > repos > other > Puppet
changeset 471:65290cb0cec2
Tidy up SSH firewall handling
We can be generic while referencing private values for specific
ports
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 12 May 2024 19:51:53 +0100 |
| parents | f68d7f7c080b |
| children | 73e28468a543 |
| files | manifests/nodes.pp manifests/templates.pp |
| diffstat | 2 files changed, 14 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/manifests/nodes.pp Sun May 12 19:50:56 2024 +0100 +++ b/manifests/nodes.pp Sun May 12 19:51:53 2024 +0100 @@ -16,6 +16,12 @@ proto => 'tcp', action => 'accept', } + firewall { '090 Allow SSH (SSH proxy)': + dport => 22, + source => '2a00:1098:0:84:1000:3:0:2', + proto => 'tcp', + action => 'accept', + } } node 'vpsarm.home' { class { 'ibboardvpsnode':
--- a/manifests/templates.pp Sun May 12 19:50:56 2024 +0100 +++ b/manifests/templates.pp Sun May 12 19:51:53 2024 +0100 @@ -94,6 +94,7 @@ if $proxy_4to6_ip_prefix != undef { # …:1 to …:9 for websites, …:10 for mail + # Note: IPv6 is hexadecimal and so 0x10 is not in a /124 netblock with 0x01 to 0x09! $ipv6_addresses = Integer[1, 10].map |$octet| { "$proxy_4to6_ip_prefix:$octet" } if $operatingsystem == 'Ubuntu' { # Ubuntu can't parse the existing file, so we need to brute-force it with a template @@ -189,6 +190,13 @@ '--comment "Do not purge', ], } + include privat::params + $ssh_ports = $::privat::params::ssh_port[$::fqdn] + firewall { '090 Allow SSH': + dport => $ssh_ports - 22, + proto => 'tcp', + action => 'accept', + } if ($fw_protocol != "IPv6") { firewall { '010 Whitelist Googlebot': source => '66.249.64.0/19',