SUNET/net-ops
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added nftables for cisoas

Browse source
This commit is contained in:
Rasmus Thorslund 2025-01-30 16:05:39 +01:00
parent ed5a117f4b
commit a51741c5a0
No known key found for this signature in database
GPG key ID: 502D33332E9E305D
3 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
cisoas-sto4-prod-1.sunet.se/overlay/etc/hiera/data/local.yaml Normal file
View file

@ -0,0 +1,11 @@
sunet::nftables::allow::rules:
allow_access_to_cisoassistant:
from: 'any'
port: 8443
to: 'any'
proto: 'tcp'
allow_access_to_cisoassistant_api:
from: 'any'
port: 9443
to: 'any'
proto: 'tcp'

3
global/overlay/etc/puppet/cosmos-rules.yaml
View file

@ -142,3 +142,6 @@ nifrontend-sto1-prod-1.sunet.se:
- 'sthb-lb-1.sunet.se' - 'sthb-lb-1.sunet.se'
- 'tug-lb-1.sunet.se' - 'tug-lb-1.sunet.se'
port: '443' port: '443'
cisoas-sto4-prod-1.sunet.se:
net::nftables:

8
global/overlay/etc/puppet/modules/net/manifests/nftables.pp Normal file
View file

@ -0,0 +1,8 @@
$nftables_rules = lookup('sunet::nftables::allow::rules', Hash, 'deep', {})
# Create resources for each rule
$nftables_rules.each |$name, $params| {
sunet::nftables::allow { $name:
* => $params,
}
}