grains:
city: QSC-nuremberg
country: de-qsc
roles:
- firewall
hostusage:
- IPMI access
reboot_safe: yes
salt_cluster: opensuse
virt_cluster: bare-metal
aliases: []
description: IPMI backdoor for widehat.infra.opensuse.org (Remote access)
documentation: []
responsible:
- kbabioch
- mcaj
- rklein
partners: []
weburls: []
# Firewall configuration
firewalld:
enabled: true
LogDenied: 'off'
default_zone: public
zones:
heroes-internal:
short: heroes-internal
description: >-
Internal VPN network.
interfaces:
- tun0
services:
- ssh
ports:
tcp:
- 5666
- 6556
heroes-external:
short: heroes-external
description: >-
Special ZONE with openSUSE VPN external IP addresses, so we can
guarantee that we have public access to SSH in case VPN goes down, but
without exposing SSH to the internet.
sources:
# SUSE's public networks (Nuremberg)
- 195.135.220.0/24
- 195.135.221.0/24
# SUSE's public network (Prague)
- 213.151.88.128/25
# QSC public networks (i.e. widehat)
- 62.146.92.200/29
- 62.146.92.208/29
# Backdoor of @kbabioch for the time being
- 24.134.156.21
# Backdoor of @rklein for the time being
- 72.14.176.247
services:
- ssh
# NOT USED ZONES -- let it be to keep them clear and not attached to any
# interface or sources and without any service declared.
public:
short: Public
internal:
short: Internal
work:
short: Work
trusted:
short: Trusted