grains:
city: QSC-nuremberg
country: de-qsc
roles:
- firewall
hostusage:
- IPMI access
reboot_safe: yes
salt_cluster: opensuse
virt_cluster: bare-metal
aliases: []
description: IPMI backdoor for widehat.infra.opensuse.org (Remote access) and hypervisor for VMs (use slimhat as virt_cluster entry)
documentation: []
responsible:
- kbabioch
- mcaj
- rklein
- lrupp
partners: []
weburls: []
# Firewall configuration
firewalld:
enabled: true
LogDenied: 'off'
default_zone: public
services:
monitoring:
short: monitoring
description: >-
These ports are required for monitoring based on check_mk and NRPE.
ports:
tcp:
- 5665
- 6556
zones:
heroes-internal:
short: heroes-internal
description: >-
Internal VPN network.
interfaces:
- tun0
services:
- ssh
- monitoring
heroes-external:
short: heroes-external
description: >-
Special ZONE with openSUSE VPN external IP addresses, so we can
guarantee that we have public access to SSH in case VPN goes down, but
without exposing SSH to the internet.
sources:
# SUSE's public networks (Nuremberg)
- 195.135.220.0/24
- 195.135.221.0/24
# SUSE's public network (Prague)
- 213.151.88.128/25
# QSC public networks (i.e. widehat)
- 62.146.92.200/29
- 62.146.92.208/29
# Backdoor of @kbabioch for the time being
- 24.134.156.21
# Backdoor of @rklein for the time being
- 72.14.176.247
services:
- ssh
# NOT USED ZONES -- let it be to keep them clear and not attached to any
# interface or sources and without any service declared.
public:
short: Public
internal:
short: Internal
work:
short: Work
trusted:
short: Trusted