diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml deleted file mode 100644 index c4ebc3613..000000000 --- a/files/firewall/hostgroups.local.yaml +++ /dev/null @@ -1,66 +0,0 @@ -firewall: - hostgroups: - analyst: - ips: - delete: - insert: - beats_endpoint: - ips: - delete: - insert: - beats_endpoint_ssl: - ips: - delete: - insert: - elasticsearch_rest: - ips: - delete: - insert: - elastic_agent_endpoint: - ips: - delete: - insert: - endgame: - ips: - delete: - insert: - fleet: - ips: - delete: - insert: - heavy_node: - ips: - delete: - insert: - idh: - ips: - delete: - insert: - manager: - ips: - delete: - insert: - node: - ips: - delete: - insert: - receiver: - ips: - delete: - insert: - search_node: - ips: - delete: - insert: - sensor: - ips: - delete: - insert: - strelka_frontend: - ips: - delete: - insert: - syslog: - ips: - delete: - insert: diff --git a/files/firewall/portgroups.local.yaml b/files/firewall/ports/ports.local.yaml similarity index 100% rename from files/firewall/portgroups.local.yaml rename to files/firewall/ports/ports.local.yaml diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml deleted file mode 100644 index d669d96e4..000000000 --- a/salt/firewall/hostgroups.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{% from 'docker/docker.map.jinja' import DOCKER %} -firewall: - hostgroups: - anywhere: - ips: - delete: - insert: - - 0.0.0.0/0 - dockernet: - ips: - delete: - insert: - - {{ DOCKER.sorange }} - localhost: - ips: - delete: - insert: - - 127.0.0.1 - self: - ips: - delete: - insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 191155fbd..ea2d1b4e8 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -12,20 +12,16 @@ {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %} {% set defined_portgroups = portgroups %} -{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %} -{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#} {% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} {% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %} -{% do hostgroup_list.remove('firewall/hostgroups.local.yaml') %} -{% do hostgroup_list.remove('firewall/hostgroups.yaml') %} {% for hg in hostgroup_list %} {% import_text hg as hg_ips %} {% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} {% endfor %} -{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %} +{% set hostgroups = local_hostgroups.firewall.hostgroups %} {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %} diff --git a/salt/firewall/portgroups/portgroups.yaml b/salt/firewall/portgroups/portgroups.yaml deleted file mode 100644 index 331b5e3f2..000000000 --- a/salt/firewall/portgroups/portgroups.yaml +++ /dev/null @@ -1,552 +0,0 @@ -role: - eval: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - strelka_frontend: - portgroups: - - strelka_frontend - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - manager: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - - beats_5644 - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - - beats_5644 - self: - portgroups: - - syslog - syslog: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - endgame: - portgroups: - - endgame - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - managersearch: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - endgame: - portgroups: - - endgame - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - standalone: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - endgame: - portgroups: - - endgame - strelka_frontend: - portgroups: - - strelka_frontend - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - helixsensor: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - searchnode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - elasticsearch_node - - elasticsearch_rest - dockernet: - portgroups: - - elasticsearch_node - - elasticsearch_rest - elasticsearch_rest: - portgroups: - - elasticsearch_rest - search_node: - portgroups: - - elasticsearch_node - self: - portgroups: - - syslog - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - sensor: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - syslog - strelka_frontend: - portgroups: - - strelka_frontend - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - heavynode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - elasticsearch_node - - elasticsearch_rest - dockernet: - portgroups: - - elasticsearch_node - - elasticsearch_rest - elasticsearch_rest: - portgroups: - - elasticsearch_rest - self: - portgroups: - - syslog - strelka_frontend: - portgroups: - - strelka_frontend - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - import: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - kibana - - redis - - influxdb - - elasticsearch_rest - - elasticsearch_node - minion: - portgroups: - - docker_registry - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - elasticsearch_node - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - - receiver: - chain: - DOCKER-USER: - hostgroups: - sensor: - portgroups: - - beats_5644 - search_node: - portgroups: - - redis - - beats_5644 - self: - portgroups: - - redis - - syslog - - beats_5644 - syslog: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - endgame: - portgroups: - - endgame - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - idh: - chain: - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - manager: - portgroups: - - ssh \ No newline at end of file