Skip to content
Snippets Groups Projects

Resolve "move gate SSH into openstack"

Merged Pierre Kelbert requested to merge 18-move-gate-ssh-into-openstack into main
Compare and
10 files
+ 239
16
Preferences
Compare changes
Files
10
+ 86
0
---
afs_realm: CRI.EPITA.FR
afs_cell: cri.epita.fr
afs_kdc_servers: kerberos.pie.cri.epita.fr
afs_kadmin_server: "{{ afs_kdc_servers }}"
afs_csdb:
cell: cri.epita.fr
desc: CRI EPITA
# TODO: generate this
hosts:
- ip: 10.224.21.100
name: afs-0.pie.cri.epita.fr
clone: false
- ip: 10.224.21.101
name: afs-1.pie.cri.epita.fr
clone: false
- ip: 10.224.21.102
name: afs-2.pie.cri.epita.fr
clone: false
afs_install_method: managed
afs_module_install_method: dkms
sssd_service_enabled: true
sssd_manage_sshd_dns_service_lookup: false
sssd_config_type: config
sssd_config:
sssd:
config_file_version: 2
services: nss, pam
domains: LDAP
"domain/LDAP":
cache_credentials: true
enumerate: false
id_provider: ldap
auth_provider: ldap
ldap_uri: ldaps://ldap.pie.cri.epita.fr
ldap_search_base: dc=cri,dc=epita,dc=fr
ldap_id_use_start_tls: true
ldap_tls_reqcert: demand
entry_cache_timeout: 5
ldap_network_timeout: 2
ldap_schema: rfc2307bis
ldap_user_search_base: ou=users,dc=cri,dc=epita,dc=fr
ldap_group_search_base: ou=groups,dc=cri,dc=epita,dc=fr
ssh_gate_keytab: "{{ lookup('community.general.hashi_vault', 'infra/data/ssh-gate/keytab')['keytab'] | b64decode }}" # yamllint disable-line rule:line-length
nft_filter_input_policy: drop
nft_filter_input_default_verdict: accept
nft_filter_forward_policy: accept
nft_filter_forward_default_verdict: accept
nft_filter_output_policy: drop
nft_filter_output_default_verdict: accept
nft_filter_input_rules:
- comment: "Drop invalid connections"
raw: ct state invalid drop
- comment: "Accept all traffic from localhost"
saddr: 127.0.0.0/8
- comment: "Allow SSH"
proto: tcp
dport: 22
nft_filter_output_rules:
- comment: "Accept all traffic to localhost"
daddr: 127.0.0.0/8
- comment: "Allow traffic to 10.0.0.0/8 for everyone"
daddr: 10.0.0.0/8
- comment: "Allow traffic to 91.243.117.0/24"
daddr: 91.243.117.0/24
- comment: "allow all traffic for root"
skuid: 0
- comment: "allow all traffic for _apt"
skuid: 105
- comment: "allow all traffic for cri-roots"
skgid: 1001 # cri-roots