66 lines
2.0 KiB
Plaintext
66 lines
2.0 KiB
Plaintext
# This is an example to demonstrate
|
|
# - behaviour of the role
|
|
# - how to add overlay/merged custom configuration items to group_vars inventory/group_vars/firewalld.xml
|
|
|
|
firewalld:
|
|
enable: true
|
|
|
|
# create new ruleset
|
|
# - each xcat_network with a corresponding entry in inventroy/networks.yml will have an ipset automatically generated
|
|
# - each xcat_network entry will assign service to a zone of that name, the zone accepts ingress from the corresponding ipset
|
|
# - xcat_groups will assign the ruleset to hosts in groups
|
|
#
|
|
# this ruleset applies inbound ftp to cluster and infiniband zones on hosts in groups all/compute/slurm/ansible
|
|
firewalld_services:
|
|
- name: ftp
|
|
short: "FTP"
|
|
description: "FTP service"
|
|
port:
|
|
- port: 21
|
|
protocol: tcp
|
|
xcat_groups:
|
|
- compute
|
|
- all
|
|
- slurm
|
|
- ansible
|
|
xcat_networks:
|
|
- cluster
|
|
- infiniband
|
|
|
|
# create new ruleset with a custom zone
|
|
# - the xcat_networks entry zabbix is not present in inventroy/networks.yml, a new zone zabbix will be created
|
|
# - the zone requires an ipset named zabbix to add an ingress source
|
|
- name: zabbix
|
|
short: "Zabbix"
|
|
description: "Zabbix Ports"
|
|
port:
|
|
- port: 10050
|
|
protocol: tcp
|
|
- port: 10051
|
|
protocol: tcp
|
|
xcat_groups:
|
|
- all
|
|
xcat_networks:
|
|
- zabbix
|
|
|
|
# create new ipset
|
|
# - this ipset is for the corresponding auto-generated zabbix zone required by the zabbix service(ruleset)
|
|
firewalld_ipsets:
|
|
zabbix:
|
|
short: zabbix
|
|
description: zabbix ipset
|
|
type: 'hash:ip'
|
|
targets:
|
|
- 172.22.1.220/32
|
|
# - 172.22.1.0/24
|
|
# - 10.0.10.0/16
|
|
|
|
# create new zone
|
|
# - this zone has an embedded ruleset to allow ANY inbound from IP range, no ipset is required
|
|
firewalld_zones:
|
|
- name: mgt
|
|
short: "MGT"
|
|
description: "management host"
|
|
target: "ACCEPT"
|
|
source:
|
|
- address: 172.22.1.220/32 |