firewall: use new IP sets and iptables chains

https://github.com/status-im/infra-hq/issues/69 https://github.com/status-im/infra-role-bootstrap-linux/commit/92d8923b https://github.com/status-im/infra-role-wireguard/commit/8394639e Signed-off-by: Jakub Sokołowski <jakub@status.im>
2021-08-11 19:54:36 +02:00 · 2021-08-11 19:54:36 +02:00 · 5d36d3ad3e
parent 1ff378d392
commit 5d36d3ad3e
10 changed files with 52 additions and 23 deletions
--- a/ansible/geth.yml
+++ b/ansible/geth.yml
@ -16,5 +16,6 @@
    - nimbus-geth-mainnet
  roles:
    - { role: swap-file,                tags: swap-file }
+    - { role: open-ports,               tags: open-ports }
    - { role: infra-role-geth,          tags: infra-role-geth }
    - { role: infra-role-geth-exporter, tags: infra-role-geth-exporter }
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -48,3 +48,11 @@ beacon_node_max_peers: 320
 # resource limits
 beacon_node_mem_limit: '{{ (ansible_memtotal_mb * 0.60) | int }}'
 beacon_node_mem_reserve: '{{ (ansible_memtotal_mb * 0.4) | int }}'
+
+# Open Ports
+open_ports_default_comment: 'Beacon Node'
+open_ports_default_chain: 'SERVICES'
+open_ports_list:
+  - { port: '{{ beacon_node_listening_port }}', protocol: 'tcp' }
+  - { port: '{{ beacon_node_discovery_port }}', protocol: 'udp' }
+  - { port: '{{ beacon_node_metrics_port }}',   chain: 'VPN', ipset: 'metrics.hq' }
--- a/ansible/group_vars/log-store.yml
+++ b/ansible/group_vars/log-store.yml
@ -53,6 +53,17 @@ oauth_cookie_secret: '{{ lookup("passwordstore", "services/cookie-secret") }}'
 oauth_id: '{{ lookup("passwordstore", "services/elastic-hq-nimbus/oauth-id") }}'
 oauth_secret: '{{ lookup("passwordstore", "services/elastic-hq-nimbus/oauth-secret") }}'

+
+# Open Ports
+open_ports_default_comment: 'ElasticSearch'
+open_ports_default_chain: 'VPN'
+open_ports_list:
+  - { port: 80,  protocol: 'tcp', chain: 'SERVICES' }
+  - { port: 443, protocol: 'tcp', chain: 'SERVICES' }
+  - { port: '{{ es_api_port }}',          ipset: 'log-store.nimbus' }
+  - { port: '{{ es_node_port }}',         ipset: 'log-store.nimbus' }
+  - { port: '{{ es_metrics_cont_port }}', ipset: 'metrics.hq' }
+
 # Proxy for ES HQ
 nginx_sites:
  elasticsearch_hq_http:
@ -72,9 +83,3 @@ nginx_sites:
        proxy_set_header Host $host;
        proxy_pass http://127.0.0.1:{{ oauth_local_port }}/;
      }
-
-# Open Nginx Ports
-open_ports_default_comment: 'HTTP & HTTPS'
-open_ports_list:
-  - { port: 80,  protocol: 'tcp' }
-  - { port: 443, protocol: 'tcp' }
--- a/ansible/group_vars/nimbus-geth-goerli.yml
+++ b/ansible/group_vars/nimbus-geth-goerli.yml
@ -1,7 +1,5 @@
 ---
-# This node is used as replacement for Infura for end-to-end tests.
-
-# Syncing can use a lot of mamory
+# This node is used as replacement for Infura for end-to-end tests.  Syncing can use a lot of mamory
 swap_file_size_mb: 4096

 # Geth node
@ -28,3 +26,9 @@ geth_port: 30303
 geth_rpc_port: 8545
 geth_websocket_port: 8546
 geth_expo_cont_port: 9200
+
+# Open Ports
+open_ports_default_comment: 'Geth Metrics'
+open_ports_default_chain: 'VPN'
+open_ports_list:
+  - { port: '{{ geth_expo_cont_port }}', ipset: 'metrics.hq' }
--- a/ansible/group_vars/nimbus-geth-mainnet.yml
+++ b/ansible/group_vars/nimbus-geth-mainnet.yml
@ -27,3 +27,9 @@ geth_port: 30303
 geth_rpc_port: 8545
 geth_websocket_port: 8546
 geth_expo_cont_port: 9200
+
+# Open Ports
+open_ports_default_comment: 'Geth Metrics'
+open_ports_default_chain: 'VPN'
+open_ports_list:
+  - { port: '{{ geth_expo_cont_port }}', ipset: 'metrics.hq' }
--- a/ansible/mainnet.yml
+++ b/ansible/mainnet.yml
@ -13,5 +13,6 @@
  become: true
  hosts: 'nimbus-mainnet-small'
  roles:
-    - { role: get-geth-web3-urls,     tags: [ get-geth-web3-urls ] }
-    - { role: infra-role-beacon-node, tags: [ infra-role-beacon-node, beacon-node ] }
+    - { role: open-ports,                   tags: [ open-ports ] }
+    - { role: get-geth-web3-urls,           tags: [ get-geth-web3-urls ] }
+    - { role: infra-role-beacon-node-linux, tags: [ beacon-node ] }
--- a/ansible/prater.yml
+++ b/ansible/prater.yml
@ -27,20 +27,22 @@
    - nimbus-prater-stable
    - nimbus-prater-testing
    - nimbus-prater-unstable
+    - nimbus-prater-unstable-libp2p-stable
+    - nimbus-prater-unstable-libp2p-unstable
  roles:
    - role: get-geth-web3-urls
      tags: get-geth-web3-urls
    - role: infra-role-beacon-node-docker
-      tags: [ infra-role-beacon-node-docker, beacon-node ]
+      tags: beacon-node

 - name: Deploy mainnet linux beacon nodes
  become: true
  hosts: nimbus-prater-metal
  roles:
-    - { role: get-geth-web3-urls,     tags: [ get-geth-web3-urls ] }
+    - { role: get-geth-web3-urls, tags: [ get-geth-web3-urls ] }
  tasks:
    - include_role: name=infra-role-beacon-node-linux
-      tags: [ beacon-node, infra-role-beacon-node-linux ]
+      tags: beacon-node
      vars:
        beacon_node_repo_branch: '{{ node.branch }}'
        beacon_node_build_frequency: '{{ node.build_frequency }}'
@ -64,7 +66,7 @@
  fact_path: 'C:/ansible/facts.d'
  tasks:
    - include_role: name=infra-role-beacon-node-windows
-      tags: [ beacon-node, infra-role-beacon-node-windows ]
+      tags: beacon-node
      vars:
        beacon_node_repo_branch: '{{ node.branch }}'
        beacon_node_build_start_time: '{{ node.build_start }}'
--- a/ansible/pyrmont.yml
+++ b/ansible/pyrmont.yml
@ -15,10 +15,10 @@
    - nimbus-pyrmont-metal
  roles:
    - role: get-geth-web3-urls
-      tags: [ get-geth-web3-urls ]
+      tags: get-geth-web3-urls
  tasks:
    - include_role: name=infra-role-beacon-node-linux
-      tags: [ beacon-node, infra-role-beacon-node-linux ]
+      tags: beacon-node
      vars:
        # Using whole libp2p branch name would be far too long.
        beacon_node_service_name: 'beacon-node-{{ beacon_node_network }}-{{ node.name }}'
--- a/ansible/rayonism.yml
+++ b/ansible/rayonism.yml
@ -15,5 +15,7 @@
  any_errors_fatal: true
  hosts: 'nimbus.rayonism'
  roles:
-    - { role: infra-role-geth,        tags: [ infra-role-geth ] }
-    - { role: infra-role-beacon-node, tags: [ infra-role-beacon-node, beacon-node ] }
+    - role: infra-role-geth
+      tags: infra-role-geth
+    - role: infra-role-beacon-node-linux
+      tags: beacon-node
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -11,12 +11,12 @@

 - name: open-ports
  src: git@github.com:status-im/infra-role-open-ports.git
-  version: 54125c7d291289aaea51ca313fc694d057d803fa
+  version: 24dc30dbdf85e6758cb6924074b2f7a0f4541524
  scm: git

 - name: infra-role-bootstrap-linux
  src: git@github.com:status-im/infra-role-bootstrap-linux.git
-  version: 73d16a19970db4d1e27aa284bc3e4786b8a3c659
+  version: 53e96605481a84542702bd72e94a58eb63da9c9e
  scm: git

 - name: infra-role-bootstrap-windows
@ -26,7 +26,7 @@

 - name: infra-role-wireguard
  src: git@github.com:status-im/infra-role-wireguard.git
-  version: dcd0ff242ef79b733af5d050d8a3766821698797
+  version: 1beaa34f9b9b00e286faeeb177e2233e431a1634
  scm: git

 - name: oauth-proxy
@ -96,7 +96,7 @@

 - name: infra-role-geth
  src: git@github.com:status-im/infra-role-geth.git
-  version: 06966616e6cbad7dd7e41efcf70120a15ab21da5
+  version: 5b91c936dcef80780fbf7c3a879b4277b6ccf92c
  scm: git

 - name: infra-role-geth-exporter