grains:

  city: QSC-nuremberg

  country: de-qsc

  roles:

    - firewall

  hostusage:

    - IPMI access

  reboot_safe: yes

  salt_cluster: opensuse

  virt_cluster: bare-metal

  aliases: []

  description: IPMI backdoor for widehat.infra.opensuse.org (Remote access) and hypervisor for VMs (use slimhat as virt_cluster entry)

  documentation: []

  responsible:

    - kbabioch

    - mcaj

    - rklein

    - lrupp

  partners: []

  weburls: []

# Firewall configuration

firewalld:

  enabled: true

  LogDenied: 'off'

  default_zone: public

  services:

    monitoring:

      short: monitoring

      description: >-

        These ports are required for monitoring based on check_mk and NRPE.

      ports:

        tcp:

          - 5665

          - 6556

  zones:

    heroes-internal:

      short: heroes-internal

      description: >-

        Internal VPN network.

      interfaces:

        - tun0

      services:

        - ssh

        - monitoring

    heroes-external:

      short: heroes-external

      description: >-

        Special ZONE with openSUSE VPN external IP addresses, so we can

        guarantee that we have public access to SSH in case VPN goes down, but

        without exposing SSH to the internet.

      sources:

        # SUSE's public networks (Nuremberg)

        - 195.135.220.0/24

        - 195.135.221.0/24

        # SUSE's public network (Prague)

        - 213.151.88.128/25

        # QSC public networks (i.e. widehat)

        - 62.146.92.200/29

        - 62.146.92.208/29

        # Backdoor of @kbabioch for the time being

        - 24.134.156.21

        # Backdoor of @rklein for the time being

        - 72.14.176.247

      services:

        - ssh

    # NOT USED ZONES -- let it be to keep them clear and not attached to any

    # interface or sources and without any service declared.

    public:

      short: Public

    internal:

      short: Internal

    work:

      short: Work

    trusted:

      short: Trusted