boot,store,store-db: switch to nftables

https://github.com/status-im/infra-misc/issues/301
2024-09-12 16:40:48 +02:00 · 2024-09-12 16:40:48 +02:00 · f8c8dac98d
parent 901a62f455
commit f8c8dac98d
5 changed files with 22 additions and 24 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -1,4 +1,6 @@
 ---
+bootstrap__firewall_nftables: true
+
 # Root password
 bootstrap__root_pass: '{{lookup("bitwarden", "root-pass")}}'
 # Consul
--- a/ansible/group_vars/boot.yml
+++ b/ansible/group_vars/boot.yml
@ -85,16 +85,15 @@ certbot_certs_map:
        - '{{ nim_waku_websocket_domain }}'
        - '{{ nim_waku_websocket_domain | replace("status."+stage, "shards.staging") }}' # Legacy Fleet Name

-# Open LibP2P Ports
-open_ports_default_comment: '{{ nim_waku_cont_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
+# Open Nim-Waku Ports
 open_ports_list:
-  - { port: '80', comment: 'Nginx and Certbot' }
-  - { port: '{{ nim_waku_p2p_tcp_port }}' }
-  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
-  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
-  - { port: '{{ nim_waku_websock_port }}' }
+  nginx:
+    - { comment: 'Nginx and Certbot', port: '80' }
+  nim-waku:
+    - { comment: 'Nim-Waku LibP2P',       port: '{{ nim_waku_p2p_tcp_port }}' }
+    - { comment: 'Nim-Waku Discovery v5', port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
+    - { comment: 'Nim-Waku Metrics',      port: '{{ nim_waku_metrics_port }}', ipset: 'metrics.hq', iifname: 'wg0' }
+    - { comment: 'Nim-Waku WebSocket',    port: '{{ nim_waku_websock_port }}' }

 # Public Config file access
 nginx_sites:
--- a/ansible/group_vars/store-db.yml
+++ b/ansible/group_vars/store-db.yml
@ -66,8 +66,6 @@ postgres_ha_consul_failures_before_warning: 5
 postgres_ha_consul_failures_before_critical: 10

 # Open PostgreSQL Port
-open_ports_default_comment: '{{ postgres_ha_service_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
 open_ports_list:
-  - { port: '{{ postgres_ha_cont_port }}', ipset: '{{ env }}.{{ stage }}' }
+  postgres:
+    - { comment: 'PostgreSQL', port: '{{ postgres_ha_cont_port }}', ipset: '{{ env }}.{{ stage }}', iifname: 'wg0' }
--- a/ansible/group_vars/store.yml
+++ b/ansible/group_vars/store.yml
@ -92,16 +92,15 @@ certbot_certs_map:
        - '{{ nim_waku_websocket_domain }}'
        - '{{ nim_waku_websocket_domain | replace("status."+stage, "shards.staging") }}' # Legacy Fleet Name

-# Open LibP2P Ports
-open_ports_default_comment: '{{ nim_waku_cont_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
+# Open Nim-Waku Ports
 open_ports_list:
-  - { port: '80', comment: 'Nginx and Certbot' }
-  - { port: '{{ nim_waku_p2p_tcp_port }}' }
-  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
-  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
-  - { port: '{{ nim_waku_websock_port }}' }
+  nginx:
+    - { comment: 'Nginx and Certbot', port: '80' }
+  nim-waku:
+    - { comment: 'Nim-Waku LibP2P',       port: '{{ nim_waku_p2p_tcp_port }}' }
+    - { comment: 'Nim-Waku Discovery v5', port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
+    - { comment: 'Nim-Waku Metrics',      port: '{{ nim_waku_metrics_port }}', ipset: 'metrics.hq', iifname: 'wg0' }
+    - { comment: 'Nim-Waku WebSocket',    port: '{{ nim_waku_websock_port }}' }

 # Public Config file access
 nginx_sites:
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -22,8 +22,8 @@

 - name: infra-role-certbot
  src: git@github.com:status-im/infra-role-certbot.git
-  version: dfd0bce4e5e2484f9be6f38ca34af92e5461ee8c
+  version: 41e768fe2e9212366c6a33aa8c2e30d0b2832e80

 - name: infra-role-postgres-ha
  src: git@github.com:status-im/infra-role-postgres-ha.git
-  version: aa752f40623a7f92ce4a95c40cbbabf815452945
+  version: fbc3376e790c526bb401edb1a6a1ffdc4a4d1ae1