From a51741c5a0431f05517628b658121e15384779ee Mon Sep 17 00:00:00 2001 From: Rasmus Thorslund Date: Thu, 30 Jan 2025 16:05:39 +0100 Subject: [PATCH] added nftables for cisoas --- .../overlay/etc/hiera/data/local.yaml | 11 +++++++++++ global/overlay/etc/puppet/cosmos-rules.yaml | 3 +++ .../etc/puppet/modules/net/manifests/nftables.pp | 8 ++++++++ 3 files changed, 22 insertions(+) create mode 100644 cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml create mode 100644 global/overlay/etc/puppet/modules/net/manifests/nftables.pp diff --git a/cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml b/cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml new file mode 100644 index 0000000..88b5d02 --- /dev/null +++ b/cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml @@ -0,0 +1,11 @@ +sunet::nftables::allow::rules: + allow_access_to_cisoassistant: + from: 'any' + port: 8443 + to: 'any' + proto: 'tcp' + allow_access_to_cisoassistant_api: + from: 'any' + port: 9443 + to: 'any' + proto: 'tcp' diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index d62d3c7..c865ba6 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -142,3 +142,6 @@ nifrontend-sto1-prod-1.sunet.se: - 'sthb-lb-1.sunet.se' - 'tug-lb-1.sunet.se' port: '443' + +cisoas-sto4-prod-1.sunet.se: + net::nftables: diff --git a/global/overlay/etc/puppet/modules/net/manifests/nftables.pp b/global/overlay/etc/puppet/modules/net/manifests/nftables.pp new file mode 100644 index 0000000..c7bc2c9 --- /dev/null +++ b/global/overlay/etc/puppet/modules/net/manifests/nftables.pp @@ -0,0 +1,8 @@ +$nftables_rules = lookup('sunet::nftables::allow::rules', Hash, 'deep', {}) + +# Create resources for each rule +$nftables_rules.each |$name, $params| { + sunet::nftables::allow { $name: + * => $params, + } +}