diff --git a/pillar/firewall/addfirewall.sh b/pillar/firewall/addfirewall.sh new file mode 100644 index 000000000..3d2187f25 --- /dev/null +++ b/pillar/firewall/addfirewall.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +# This script adds ip addresses to specific rule sets defined by the user + +POLICY=$1 +IPADDRESS=$2 + +echo " - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls +salt-call state.apply firewall \ No newline at end of file diff --git a/so-setup-network.sh b/so-setup-network.sh index 70b6689bf..b22b8467f 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -476,6 +476,7 @@ salt_master_directories() { # Copy over the salt code and templates cp -R pillar/* /opt/so/saltstack/pillar/ + chmod +x /opt/so/saltstack/pillar/firewall/addfirewall.sh cp -R salt/* /opt/so/saltstack/salt/ } @@ -515,6 +516,34 @@ sensor_pillar() { set_initial_firewall_policy() { get_main_ip + local POLICYPATH=/opt/so/salstack/pillar/firewall + + if [ $INSTALLTYPE == 'MASTERONLY' ]; then + + echo " - $MAINIP" >> $POLICYPATH/minions.sls + + fi + if [ $INSTALLTYPE == 'SENSORONLY' ]; then + + ssh -i ~/.ssh/so.key socore@$MSRV sudo $POLICYPATH/addfirewall.sh minions $MAINIP + ssh -i ~/.ssh/so.key socore@$MSRV sudo $POLICYPATH/addfirewall.sh forward_nodes $MAINIP + + fi + if [ $INSTALLTYPE == 'STORAGENODE' ]; then + + fi + + if [ $INSTALLTYPE == 'PARSINGNODE' ]; then + + fi + + if [ $INSTALLTYPE == 'HOTNODE' ]; then + + fi + + if [ $INSTALLTYPE == 'WARMNODE' ]; then + + fi } set_updates() { @@ -547,6 +576,7 @@ update_sudoers() { # Update Sudoers so that socore can accept keys without a password echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | sudo tee -a /etc/sudoers + echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | sudo tee -a /etc/sudoers } @@ -963,8 +993,9 @@ if (whiptail_you_sure); then whiptail_basic_suri fi whiptail_make_changes - sensor_pillar copy_ssh_key + set_initial_firewall_policy + sensor_pillar create_bond saltify configure_minion SENSOR