ansible/playbooks/firewall.yml
2023-09-16 01:52:35 +02:00

123 lines
2.5 KiB
YAML
Executable file

#!/usr/bin/env ansible-playbook
---
- hosts:
- infra-1.back.infra.auro.re
- infra-2.back.infra.auro.re
vars:
firewall__zones:
adm-legacy:
addrs:
- 2a09:6840:128::/64
- 10.128.0.0/16
ups:
addrs:
- 2a09:6840:201::/64
- 10.201.0.0/16
edge:
addrs:
- 2a09:6840:202::/64
- 10.202.0.0/16
core:
addrs:
- 2a09:6840:203::/64
- 10.203.0.0/16
monit:
addrs:
- 2a09:6840:204::/64
- 10.204.0.0/16
wifi:
addrs:
- 2a09:6840:205::/64
- 10.205.0.0/16
int:
addrs:
- 2a09:6840:206::/64
- 10.206.0.0/16
sw:
addrs:
- 2a09:6840:207::/64
- 10.207.0.0/16
bmc:
addrs:
- 2a09:6840:208::/64
- 10.208.0.0/16
pve:
addrs:
- 2a09:6840:209::/64
- 10.209.0.0/16
isp:
addrs:
- 2a09:6840:210::/64
- 10.210.0.0/16
ext:
addrs:
- 2a09:6840:211::/64
- 45.66.111.0/24
- 10.211.0.0/16
vpn-clients:
addrs:
- 2a09:6840:212::/64
- 10.212.0.0/16
vpn:
addrs:
- 2a09:6840:213::/64
- 10.213.0.0/16
infra:
zones:
- adm-legacy
- ups
- core
- edge
- monit
- wifi
- int
- sw
- bmc
- pve
- isp
- ext
- vpn
internet:
negate: true
addrs:
- 2a09:6840::/32
- 2a09:6841::/32
- 2a09:6842::/32
- 45.66.108.0/22
- 10.0.0.0/8
- 100.64.0.0/10
firewall__input:
- verdict: accept
firewall__output:
- verdict: accept
firewall__forward:
- src: vpn-clients
dst: infra
verdict: accept
- src: infra # FIXME: temporary
dst: internet
verdict: accept
- src: monit
dst: bmc
protocols:
icmp: true
verdict: accept
- src: adm-legacy
dst: bmc
verdict: accept
- dst:
- 2a09:6840:211::204
- 45.66.111.204
protocols:
udp:
dport: 5121
verdict: accept
firewall__nat:
- src: 10.0.0.0/8
dst: internet
protocols: null
snat:
addr: 45.66.111.200/32
roles:
- firewall
...