diff --git a/pillar/id/quiz_infra_opensuse_org.sls b/pillar/id/quiz_infra_opensuse_org.sls
new file mode 100644
index 0000000..c01e9e0
--- /dev/null
+++ b/pillar/id/quiz_infra_opensuse_org.sls
@@ -0,0 +1,16 @@
+grains:
+ site: prg2
+ hostusage:
+ - Quizzes
+ reboot_safe: yes
+ aliases: []
+ description: Quiz container host
+ documentation: []
+ responsible:
+ - crameleon
+ partners: []
+ weburls:
+ - quiz.opensuse.org
+ - '*.quiz.opensuse.org'
+roles:
+ - quiz
diff --git a/pillar/infra/certificates/heroes.yaml b/pillar/infra/certificates/heroes.yaml
index e08e2d6..f72fc82 100644
--- a/pillar/infra/certificates/heroes.yaml
+++ b/pillar/infra/certificates/heroes.yaml
@@ -95,6 +95,11 @@ netbox1.infra.opensuse.org:
- host: netbox1
services:
- apache2
+quiz.infra.opensuse.org:
+ targets:
+ - host: quiz
+ services:
+ - nginx
tyr.infra.opensuse.org:
sans:
- tyr1.infra.opensuse.org
diff --git a/pillar/infra/hosts.yaml b/pillar/infra/hosts.yaml
index a0211c3..a5c7b9f 100644
--- a/pillar/infra/hosts.yaml
+++ b/pillar/infra/hosts.yaml
@@ -943,6 +943,18 @@ progressoo:
legacy_boot: true
ram: 4096MB
vcpu: 4
+quiz:
+ cluster: falkor
+ disks:
+ data0: 3600a09803831494f635d554b39503174
+ root: 3600a09803831494f635d554b39503173
+ interfaces:
+ os-web:
+ ip6: 2a07:de40:b27e:1218::a10/64
+ mac: 00:16:3e:14:67:93
+ source: x-os-web
+ ram: 2048MB
+ vcpu: 1
riesling:
cluster: falkor
disks:
diff --git a/pillar/role/quiz.sls b/pillar/role/quiz.sls
new file mode 100644
index 0000000..a0ee833
--- /dev/null
+++ b/pillar/role/quiz.sls
@@ -0,0 +1,7 @@
+users:
+ quiz:
+ fullname: Quiz application user
+
+zypper:
+ packages:
+ podman: {}
diff --git a/salt/files/nftables/asgard/01_variables.nft b/salt/files/nftables/asgard/01_variables.nft
index 28fb1ce..a9b9076 100644
--- a/salt/files/nftables/asgard/01_variables.nft
+++ b/salt/files/nftables/asgard/01_variables.nft
@@ -202,6 +202,7 @@ define host4_matomo = 172.16.164.141/32
define host6_matomo = 2a07:de40:b27e:1203:0000:0000:0000:0b19/128
define host6_backup = 2a07:de40:b27e:1203:0000:0000:0000:0140/128
define host6_riesling = 2a07:de40:b27e:1203:0000:0000:0000:00b2/128
+define host6_quiz = 2a07:de40:b27e:1218:0000:0000:0000:0a10/128
# Remote Gateways via P2P networks
diff --git a/salt/files/nftables/asgard/base_inet/sets.nft b/salt/files/nftables/asgard/base_inet/sets.nft
index 2edb4c6..3d06405 100644
--- a/salt/files/nftables/asgard/base_inet/sets.nft
+++ b/salt/files/nftables/asgard/base_inet/sets.nft
@@ -630,6 +630,15 @@ set cloud4_rails-assets {
}
}
+set cloud4_registry_suse {
+ type ipv4_addr
+ flags interval
+ elements = {
+ 75.2.43.231/32,
+ 99.83.188.102/32,
+ }
+}
+
set cloud4_sentry_apex {
type ipv4_addr
flags interval
@@ -807,6 +816,15 @@ set cloud46_rails-assets {
}
}
+set cloud46_registry_suse {
+ type ipv6_addr
+ flags interval
+ elements = {
+ 2a07:de40:b27e:64::4b02:2be7/128,
+ 2a07:de40:b27e:64::6353:bc66/128,
+ }
+}
+
set cloud46_sentry_apex {
type ipv6_addr
flags interval
@@ -931,6 +949,25 @@ set cloud6_fastly { # addresses tend to differ between services but are probably
}
}
+set cloud6_npmjs {
+ type ipv6_addr
+ flags interval
+ elements = {
+ 2606:4700::6810:123,
+ 2606:4700::6810:1822,
+ 2606:4700::6810:1922,
+ 2606:4700::6810:1a22,
+ 2606:4700::6810:1b22,
+ 2606:4700::6810:1c22,
+ 2606:4700::6810:1d22,
+ 2606:4700::6810:1e22,
+ 2606:4700::6810:1f22,
+ 2606:4700::6810:223,
+ 2606:4700::6810:23,
+ 2606:4700::6810:323,
+ }
+}
+
set cloud4_maxmind {
type ipv4_addr
flags interval
@@ -1013,6 +1050,14 @@ set acl6_internet_rails-assets {
}
}
+set acl6_internet_registry_suse {
+ type ipv6_addr
+ flags interval
+ elements = {
+ $host6_quiz,
+ }
+}
+
set acl6_internet_github_web {
type ipv6_addr
flags interval
diff --git a/salt/files/nftables/asgard/zones/00_acls.nft b/salt/files/nftables/asgard/zones/00_acls.nft
index 578ba93..fb0f506 100644
--- a/salt/files/nftables/asgard/zones/00_acls.nft
+++ b/salt/files/nftables/asgard/zones/00_acls.nft
@@ -17,3 +17,8 @@ chain acl_internet_github {
oifname nat64 ip6 saddr @acl6_internet_github_packages ip6 daddr @cloud46_github_packages tcp dport https accept
}
+chain acl_internet_registry_suse {
+ # registry.suse.com ACL
+ oifname nat64 ip6 saddr @acl6_internet_registry_suse ip6 daddr @cloud46_registry_suse icmpv6 type { echo-request, echo-reply } accept
+ oifname nat64 ip6 saddr @acl6_internet_registry_suse ip6 daddr @cloud46_registry_suse tcp dport https accept
+}
diff --git a/salt/files/nftables/asgard/zones/05_nat64.nft b/salt/files/nftables/asgard/zones/05_nat64.nft
index a2311b0..c738b64 100644
--- a/salt/files/nftables/asgard/zones/05_nat64.nft
+++ b/salt/files/nftables/asgard/zones/05_nat64.nft
@@ -46,4 +46,7 @@ chain input_network_nat64 {
# rails-assets.org
oif os-p2p-pub ip saddr $nat64_v4 ip daddr @cloud4_rails-assets tcp dport https accept
+ # registry.suse.com ACL
+ oif os-p2p-pub ip saddr $nat64_v4 ip daddr @cloud4_registry_suse ip protocol icmp icmp type { echo-request, echo-reply } accept
+ oif os-p2p-pub ip saddr $nat64_v4 ip daddr @cloud4_registry_suse tcp dport https accept
}
diff --git a/salt/files/nftables/asgard/zones/1218_os-web.nft b/salt/files/nftables/asgard/zones/1218_os-web.nft
index 9cbd019..a23172e 100644
--- a/salt/files/nftables/asgard/zones/1218_os-web.nft
+++ b/salt/files/nftables/asgard/zones/1218_os-web.nft
@@ -7,6 +7,12 @@
ip6 saddr $net6_os-web ip6 daddr @self6_web ip6 nexthdr icmpv6 accept
+ oif os-p2p-pub ip6 saddr $host6_quiz ip6 daddr @cloud6_npmjs icmpv6 type { echo-request, echo-reply } accept
+ oif os-p2p-pub ip6 saddr $host6_quiz ip6 daddr @cloud6_npmjs tcp dport https accept
+
+ jump acl_internet_github
+ jump acl_internet_registry_suse
+
log prefix "[Web Denied] " reject with icmpv6 type admin-prohibited
}
diff --git a/salt/role/quiz.sls b/salt/role/quiz.sls
new file mode 100644
index 0000000..a5b1924
--- /dev/null
+++ b/salt/role/quiz.sls
@@ -0,0 +1,2 @@
+include:
+ - profile.web.server.nginx
diff --git a/test/setup/role/quiz b/test/setup/role/quiz
new file mode 100755
index 0000000..93d0e23
--- /dev/null
+++ b/test/setup/role/quiz
@@ -0,0 +1,2 @@
+#!/bin/sh -eu
+useradd -U quiz