fluffy: migrate to nftables

Referenced issue: https://github.com/status-im/infra-misc/issues/301 Signed-off-by: markoburcul <marko@status.im>
2024-10-10 16:35:02 +02:00 · 2024-10-10 16:35:02 +02:00 · daa4469823
parent 27b10bd710
commit daa4469823
4 changed files with 42 additions and 45 deletions
--- a/ansible/fluffy.yml
+++ b/ansible/fluffy.yml
@ -27,3 +27,13 @@
      with_sequence: start=1 end=32
      loop_control:
        loop_var: index
+
+- name: Configure Nimbus Portal Bridge
+  become: true
+  vars_files: portal-bridge.yml
+  hosts:
+    - metal-01.ih-eu-mda1.nimbus.fluffy
+  roles:
+    - { role: infra-role-open-ports,    tags: open-ports    }
+    - { role: infra-role-nimbus-fluffy, tags: nimbus-fluffy }
+    - { role: infra-role-portal-bridge, tags: portal-bridge }
--- a/ansible/group_vars/nimbus.fluffy.yml
+++ b/ansible/group_vars/nimbus.fluffy.yml
@ -22,9 +22,27 @@ nimbus_fluffy_consul_check_timeout: '10s'
 nimbus_fluffy_consul_success_before_passing: 30
 nimbus_fluffy_consul_failures_before_warning: 1440
 nimbus_fluffy_consul_failures_before_critical: 2880
+# Portal Bridge
+portal_bridge_fluffy_rpc_port: 19900
+portal_bridge_fluffy_listening_port: 19100
+portal_bridge_fluffy_metrics_port: 19200
+portal_bridge_service_name: 'nimbus-portal-bridge-history'
+portal_bridge_command: 'history'
+portal_bridge_latest: true
+portal_bridge_backfill: true
+portal_bridge_audit: true
+portal_bridge_era1_dir: '/era'
+portal_bridge_web3_url: 'http://linux-02.ih-eu-mda1.nimbus.mainnet.wg:8545'
+portal_bridge_portal_rpc_url: 'http://127.0.0.1:{{ portal_bridge_fluffy_rpc_port }}'

-# Open Ports
-open_ports_default_comment: 'SMART Metrics'
-open_ports_default_chain: 'VPN'
+# Migrated to NFTables from IPTables.
+# https://github.com/status-im/infra-misc/issues/301
+bootstrap__firewall_nftables: true
+
+# Open Ports -------------------------------------------------------------------
 open_ports_list:
-  - { port: '{{ smart_metrics_listen_port }}', ipset: 'metrics.hq' }
+  nimbus-fluffy:
+    - { comment: 'Nimbus Fluffy',          port: '{{ nimbus_fluffy_listening_port }}',                                      protocol: 'udp' }
+    - { comment: 'Nimbus Fluffy Metrics',  port: '9201-9232',                          ipset: 'metrics.hq', iifname: 'wg0', protocol: 'tcp' }
+  smart-metrics:
+    - { comment: 'SMART Metrics',          port: '{{ smart_metrics_listen_port }}',    ipset: 'metrics.hq', iifname: 'wg0'                  }
--- a/ansible/portal.yml
+++ b/ansible/portal.yml
@ -1,20 +0,0 @@
---
- name: verify ansible versions
-  hosts: all
-  tags: always
-  become: false
-  run_once: true
-  gather_facts: false
-  tasks:
-    - local_action: command ./roles.py --check
-      changed_when: false
-
- name: Configure Nimbus Portal Bridge
-  become: true
-  vars_files: portal-bridge.yml
-  hosts:
-    - metal-01.ih-eu-mda1.nimbus.fluffy
-  roles:
-    - { role: infra-role-open-ports,    tags: open-ports    }
-    - { role: infra-role-nimbus-fluffy, tags: nimbus-fluffy }
-    - { role: infra-role-portal-bridge, tags: portal-bridge }
--- a/ansible/vars/portal-bridge.yml
+++ b/ansible/vars/portal-bridge.yml
@ -1,26 +1,15 @@
 ---
-# Portal Bridge
-portal_bridge_service_name: 'nimbus-portal-bridge-history'
-portal_bridge_command: 'history'
-portal_bridge_latest: true
-portal_bridge_backfill: true
-portal_bridge_audit: true
-portal_bridge_era1_dir: '/era'
-portal_bridge_web3_url: 'http://linux-02.ih-eu-mda1.nimbus.mainnet.wg:8545'
-portal_bridge_portal_rpc_url: 'http://127.0.0.1:{{ nimbus_fluffy_rpc_port }}'
-
 # Fluffy Node
 nimbus_fluffy_service_name:     'nimbus-portal-bridge-fluffy'
 nimbus_fluffy_network:          'mainnet'
 nimbus_fluffy_repo_branch:      'master'
 nimbus_fluffy_storage_capacity: 0
-nimbus_fluffy_rpc_port: 19900
-nimbus_fluffy_metrics_port: 19200
-nimbus_fluffy_listening_port: 19100
+nimbus_fluffy_rpc_port:         '{{ portal_bridge_fluffy_rpc_port }}'
+nimbus_fluffy_metrics_port:     '{{ portal_bridge_fluffy_metrics_port }}'
+nimbus_fluffy_listening_port:   '{{ portal_bridge_fluffy_listening_port }}'

-# Open Ports
-open_ports_default_comment: 'Nimbus Portal Fluffy'
-open_ports_default_chain: 'VPN'
+# Open Ports -------------------------------------------------------------------
 open_ports_list:
-  - { port: '{{ nimbus_fluffy_metrics_port }}',   ipset: 'metrics.hq' }
-  - { port: '{{ nimbus_fluffy_listening_port }}', chain: 'SERVICES'   }
+  nimbus-portal:
+    - { comment: 'Nimbus Portal',          port: '{{ portal_bridge_fluffy_listening_port }}',                                      protocol: 'udp' }
+    - { comment: 'Nimbus Portal Metrics',  port: '{{ portal_bridge_fluffy_metrics_port }}',   ipset: 'metrics.hq', iifname: 'wg0', protocol: 'tcp' }