diff --git a/map.jinja b/map.jinja index 8268820..fdfc82e 100644 --- a/map.jinja +++ b/map.jinja @@ -1,208 +1,214 @@ {% set dirs = salt['grains.filter_by']({ 'Debian': { 'etc': '/etc', 'bin': '/usr/bin', 'include': '/usr/include', 'lib': '/usr/lib', 'man': '/usr/share/man', 'sbin': '/usr/sbin', 'share': '/usr/share', }, 'FreeBSD' : { 'etc': '/usr/local/etc', 'bin': '/usr/local/bin', 'include': '/usr/local/include', 'lib': '/usr/local/lib', 'man': '/usr/local/man', 'sbin': '/usr/local/sbin', 'share': '/usr/local/share', }, }, default='Debian') %} {% set services = salt['grains.filter_by']({ 'Debian': { 'manager': 'systemd', + 'firewall': 'iptables', + }, + 'RedHat': { + 'manager': 'systemd', + 'firewall': 'firewalld', }, 'FreeBSD' : { 'manager': 'rc', + 'firewall': 'pf', }, }, default='Debian') %} {% set shells = salt['grains.filter_by']({ 'Debian': { 'bash': '/bin/bash', 'fish': '/usr/bin/fish', 'nologin': '/usr/sbin/nologin', 'tcsh': '/usr/bin/tcsh', 'zsh': '/bin/zsh', }, 'FreeBSD' : { 'bash': '/usr/local/bin/bash', 'fish': '/usr/local/bin/fish', 'nologin': '/sbin/nologin', 'tcsh': '/bin/tcsh', 'zsh': '/usr/local/bin/zsh', }, 'Arch': { 'bash': '/bin/bash', 'fish': '/usr/bin/fish', 'nologin': '/sbin/nologin', 'tcsh': '/usr/bin/tcsh', 'zsh': '/bin/zsh', }, }, default='Debian') %} {% set paths = salt['grains.filter_by']({ 'FreeBSD': { 'sshd': '/usr/sbin/sshd', 'sftp': '/usr/libexec/sftp-server', }, 'Debian': { 'sshd': '/usr/sbin/sshd', 'sftp': '/usr/lib/openssh/sftp-server', }, 'RedHat': { 'sshd': '/sbin/sshd', 'sftp': '/usr/libexec/openssh/sftp-server', }, 'Arch': { 'sshd': '/usr/sbin/sshd', 'sftp': '/usr/lib/ssh/sftp-server', }, }, default='FreeBSD') %} {% set packages_prefixes = salt['grains.filter_by']({ 'Debian': { 'php': 'php7.2-', 'python2': '', 'python3': 'python3-', 'rubygem': '', }, 'RedHat': { 'python2': 'python-', 'python3': 'python3-', 'rubygem': 'rubygem-', }, 'FreeBSD' : { 'php': 'php72-', 'python2': 'py27-', 'python3': 'py36-', 'rubygem': 'rubygem-', }, }, default='Debian') %} {% set packages = salt['grains.filter_by']({ 'Debian' : { 'ag': 'silversearcher-ag', 'aspell-fr': 'aspell-fr', 'aspell-en': 'aspell-en', 'boost': 'libboost-all-dev', 'certbot': 'certbot', 'composer': 'composer', 'cppunit': 'libcppunit-dev', 'emacs': 'emacs-nox', 'exiftool': 'libimage-exiftool-perl', 'gpg': 'gpg', 'imagemagick': 'imagemagick', 'jpeg-turbo' : 'libjpeg-turbo', 'librabbitmq': 'librabbitmq-dev', 'lua': 'lua5.1', 'mariadb': 'mariadb-server', 'node': 'nodejs', 'pear': 'php-pear', 'phpcs': 'php-codesniffer', 'phpunit': 'phpunit', 'postgresql': 'postgresql-10', 'sphinx': 'python3-sphinx', 'tcl': 'tcl8.6-dev', 'tcltls': 'tcl-tls', 'tdom': 'tdom', 'varnish': 'varnish', 'verbiste': 'verbiste', 'youtube-dl': 'youtube-dl', 'yubico-pam': 'libpam-yubico', }, 'RedHat': { 'ag': 'the_silver_searcher', 'aspell-fr': 'aspell-fr', 'certbot': 'python2-certbot', 'cppunit': 'cppunit-devel', 'emacs': 'emacs-nox', 'exiftool': 'perl-Image-ExifTool', 'jpeg-turbo' : 'libjpeg-turbo', 'librabbitmq': 'librabbitmq', 'lua': 'lua', 'mariadb': 'mariadb-server', 'node': 'nodejs', 'pear': 'php-pear', 'phpcs': 'php-pear-PHP-CodeSniffer', 'sphinx': 'python3-sphinx', 'tcl': 'tcl', 'tcltls': 'tcltls', 'varnish': 'varnish', 'youtube-dl': 'youtube-dl', 'yubico-pam': 'pam_yubico', }, 'Arch': { 'ag': 'the_silver_searcher', 'aspell-fr': 'aspell-fr', 'certbot': 'certbot', 'cppunit': 'cppunit', 'emacs': 'emacs-nox', 'mariadb': 'mariadb', 'sphinx': 'python-sphinx', 'tcltls': 'tcltls', 'varnish': 'varnish', 'youtube-dl': 'youtube-dl', 'yubico-pam': 'yubico-pam', }, 'FreeBSD' : { 'ag': 'the_silver_searcher', 'aspell-fr': 'fr-aspell', 'aspell-en': 'en-aspell', 'boost': 'boost-all', 'certbot': 'py27-certbot', 'composer': 'php-composer', 'cppunit': 'cppunit', 'emacs': 'emacs-nox11', 'exiftool': 'p5-Image-ExifTool-devel', 'gpg': 'gnupg', 'imagemagick': 'ImageMagick', 'jpeg-turbo' : 'jpeg-turbo', 'librabbitmq': 'rabbitmq-c-devel', 'lua': 'lua51', 'mariadb': 'mariadb102-server', 'node': 'node', 'pear': 'pear', 'phpcs': 'pear-PHP_CodeSniffer', 'phpunit': 'phpunit6', 'postgresql': 'postgresql10-server', 'sphinx': 'py36-sphinx', 'tcl': 'tcl86', 'tcltls': 'tcltls', 'tdom': 'tDOM', 'varnish': 'varnish5', 'verbiste': 'fr-verbiste', 'youtube-dl': 'youtube_dl', 'yubico-pam': 'pam_yubico', }, }, default='Debian') %} {# ------------------------------------------------------------- Capabilities of OS and distributions :: MOTD-printed-at-login Login mechanism, through PAM or dotfiles, prints the MOTD when a session is opened. When at False, OpenSSH will take care of it. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #} {% set capabilities = salt['grains.filter_by']({ 'Debian': { 'MOTD-printed-at-login': True, }, 'FreeBSD' : { 'MOTD-printed-at-login': False, }, }, default='Debian') %} diff --git a/roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja b/roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja new file mode 100644 index 0000000..60eeeb7 --- /dev/null +++ b/roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja @@ -0,0 +1,15 @@ + + + Public + For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + + + +{% for subnet in subnets %} + + + + +{% endfor %} + diff --git a/roles/paas-docker/docker/firewall.sls b/roles/paas-docker/docker/firewall.sls index e69de29..b93143a 100644 --- a/roles/paas-docker/docker/firewall.sls +++ b/roles/paas-docker/docker/firewall.sls @@ -0,0 +1,24 @@ +# ------------------------------------------------------------- +# Salt — Provision Docker engine +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Created: 2017-05-24 +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +{% from "map.jinja" import dirs, services with context %} + +# ------------------------------------------------------------- +# Firewalld +# ------------------------------------------------------------- + +{% if services['firewall'] == 'firewalld' %} + +{{ dirs.etc }}/firewalld/zones/public.xml: + file.managed: + - source: salt://roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja + - template: jinja + - context: + subnets: {{ salt['paas_docker.get_subnets']() }} + +{% endif %} diff --git a/roles/paas-docker/docker/init.sls b/roles/paas-docker/docker/init.sls index 4492e44..be2b88d 100644 --- a/roles/paas-docker/docker/init.sls +++ b/roles/paas-docker/docker/init.sls @@ -1,14 +1,15 @@ # ------------------------------------------------------------- # Salt — Provision Docker engine # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2018-03-09 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- include: - .software - .storage - .config - .images + - .firewall - .networks