Commit 5a6d4425 authored by Wágner Ferenc's avatar Wágner Ferenc
Browse files

Split out firewall setup into the common.nftables submodule

parent f1c7ad8a
......@@ -25,3 +25,6 @@
[submodule "ansible/roles/common.journalbeat"]
path = ansible/roles/common.journalbeat
url = git@dev.niif.hu:ansible/common.journalbeat
[submodule "ansible/roles/common.nftables"]
path = ansible/roles/common.nftables
url = git@dev.niif.hu:ansible/common.nftables
import dns.resolver
class FilterModule(object):
def filters(self):
return { 'dnsSetA': self.dnsSetA,
'dnsSetAAAA': self.dnsSetAAAA }
def dnsLookup(self, record_type, names):
records = []
for n in names:
for rdata in dns.resolver.query(n, record_type):
records.append(rdata.to_text())
return records
def dnsSet(self, recType, names):
return '{ ' + ', '.join(self.dnsLookup(recType, names)) + ' }'
def dnsSetA(self, names):
return self.dnsSet('A', names)
def dnsSetAAAA(self, names):
return self.dnsSet('AAAA', names)
......@@ -18,7 +18,7 @@
# * shares the certificate key with the Debian-exim group and
# * configures Munin plugins. And role dependencies lead to repeats.
- { role: apache, tags: apache }
- { role: nftables, tags: nftables }
- { role: common.nftables, tags: common.nftables }
vars:
- nss_cn: listserv.niif.hu
......@@ -35,6 +35,14 @@
- nrpe_custom_checks:
check_mail_queue: /usr/lib/nagios/plugins/check_frozen
check_Mailman: /usr/bin/sudo -u list /usr/lib/nagios/plugins/check_mailman
- accept_tcp:
- ssh
- https
- smtp
- submission
- reject_tcp:
- auth
- http
tasks:
# This enables TAB completion of host names
......
Subproject commit aaf5c60e2c5812fc92977e667fe80c9ed235fdf3
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment