Extract firewall definitions to their own recipe

This allows us to use them for KVM hosts as well. Until now we had set
up ufw rules manually on the two KVM hosts (draco and centaurus)

Refs #244

site-cookbooks/kosmos-base/recipes/default.rb

@@ -64,7 +64,7 @@ unless node.chef_environment == "development"
     ]
   end
 
-  include_recipe 'kosmos-base::firewall'
+  include_recipe "kosmos-base::firewall"
 
   include_recipe 'kosmos-postfix'
 

site-cookbooks/kosmos-bitcoin/recipes/firewall.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+
+firewall_rule 'bitcoind' do
+  port     [8333] # TODO adjust for testnet
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-bitcoin/recipes/source.rb

@@ -158,9 +158,4 @@ systemd_unit 'bitcoind.service' do
   action [:create, :enable, :start]
 end
 
-# TODO move to custom kosmos cookbook before publishing bitcoin cookbook
-firewall_rule 'bitcoind' do
-  port     [8333] # TODO adjust for testnet
-  protocol :tcp
-  command  :allow
-end
+include_recipe "kosmos-bitcoin::firewall"

site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb

@@ -25,7 +25,8 @@ end
 nginx_certbot_site server_name
 
 unless node.chef_environment == "development"
-  include_recipe "firewall"
+  include_recipe "kosmos-base::firewall"
+
   firewall_rule "btcpayserver" do
     port     node["kosmos-btcpayserver"]["port"]
     protocol :tcp

site-cookbooks/kosmos-dirsrv/recipes/default.rb

@@ -37,14 +37,9 @@ end
 # with the run context is confusing:
 #
 # https://github.com/chef-cookbooks/firewall/issues/134
-unless node.chef_environment == "development"
-  include_recipe "firewall"
-  firewall_rule "ldap" do
-    port     [389, 636]
-    protocol :tcp
-    command  :allow
-  end
+include_recipe "kosmos-dirsrv::firewall"
 
+unless node.chef_environment == "development"
   # backup the data dir and the config files
   node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"]
   include_recipe "backup"

site-cookbooks/kosmos-dirsrv/recipes/firewall.rb

@@ -0,0 +1,33 @@
+#
+# Cookbook Name:: kosmos-dirsrv
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "ldap" do
+  port     [389, 636]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -219,35 +219,7 @@ service "ejabberd" do
 end
 
 unless node.chef_environment == "development"
-  firewall_rule 'ejabberd' do
-    port     [5222, 5223, 5269, 5443]
-    protocol :tcp
-    command  :allow
-  end
-
-  firewall_rule 'ejabberd_cluster' do
-    port     [4369]
-    protocol :tcp
-    command  :allow
-  end
-
-  firewall_rule 'erlang_cluster' do
-    port     [4200..4210]
-    protocol :tcp
-    command  :allow
-  end
-
-  firewall_rule 'ejabberd_stun_turn' do
-    port     3478
-    protocol :tcp
-    command  :allow
-  end
-
-  firewall_rule 'ejabberd_turn' do
-    port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe "kosmos-ejabberd::firewall"
 end
 
 #

site-cookbooks/kosmos-ejabberd/recipes/firewall.rb

@@ -0,0 +1,57 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "ejabberd" do
+  port     [5222, 5223, 5269, 5443]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_cluster' do
+  port     [4369]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'erlang_cluster' do
+  port     [4200..4210]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_stun_turn' do
+  port     3478
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_turn' do
+  port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ipfs/attributes/default.rb

@@ -17,6 +17,7 @@ node.default['kosmos-ipfs']['ipfs']['config'] = {
 node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
 node.default['kosmos-ipfs']['nginx']['gateway_port'] = 9090
 node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
+node.default['kosmos-ipfs']['nginx']['swarm_p2p_port'] = 4001
 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
 
 node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v1.0.2"

site-cookbooks/kosmos-ipfs/recipes/default.rb

@@ -34,10 +34,5 @@ node['kosmos-ipfs']['ipfs']['config'].each do |k, v|
 end
 
 unless node.chef_environment == "development"
-  include_recipe 'firewall'
-  firewall_rule 'ipfs_swarm_p2p' do
-    port     4001
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe "kosmos-ipfs::firewall_swarm"
 end

site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook Name:: kosmos-ipfs
+# Recipe:: firewall_public_gateway
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe 'firewall'
+firewall_rule 'ipfs_api' do
+  port     node['kosmos-ipfs']['nginx']['external_api_port']
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook Name:: kosmos-ipfs
+# Recipe:: firewall_swarm
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe 'firewall'
+firewall_rule 'ipfs_swarm_p2p' do
+  port     node['kosmos-ipfs']['nginx']['swarm_p2p_port']
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb

@@ -49,10 +49,5 @@ end
 nginx_certbot_site domain
 
 unless node.chef_environment == "development"
-  include_recipe "firewall"
-  firewall_rule 'ipfs_api' do
-    port     node['kosmos-ipfs']['nginx']['external_api_port']
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe "kosmos-ipfs::firewall_public_gateway"
 end

site-cookbooks/kosmos-nginx/recipes/default.rb

@@ -84,11 +84,5 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do
 end
 
 unless node.chef_environment == "development"
-  include_recipe 'kosmos-base::firewall'
-
-  firewall_rule 'http/https' do
-    port     [80, 443]
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe "kosmos-nginx::firewall"
 end

site-cookbooks/kosmos-nginx/recipes/firewall.rb

@@ -0,0 +1,33 @@
+#
+# Cookbook Name:: kosmos-nginx
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "http/https" do
+  port     [80, 443]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-nginx/recipes/with_perl.rb

@@ -23,11 +23,5 @@ cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do
 end
 
 unless node.chef_environment == "development"
-  include_recipe 'kosmos-base::firewall'
-
-  firewall_rule 'http/https' do
-    port     [80, 443]
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe 'kosmos-nginx::firewall'
 end

site-cookbooks/kosmos-postgresql/recipes/default.rb

@@ -76,14 +76,8 @@ postgresql_replicas.each do |replica|
     notifies :reload, "service[#{postgresql_service}]", :immediately
   end
 
-  unless node.chef_environment == "development"
-    include_recipe "firewall"
-
-    firewall_rule "postgresql replica #{replica[:hostname]}" do
-      port        5432
-      protocol    :tcp
-      command     :allow
-      source replica[:ipaddress]
-    end
-  end
+end
+
+unless node.chef_environment == "development"
+  include_recipe "kosmos-postgresql::firewall_replicas"
 end

site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb

@@ -0,0 +1,36 @@
+#
+# Cookbook:: kosmos-postgresql
+# Recipe:: firewall_replicas
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-base::firewall"
+
+postgresql_replicas.each do |replica|
+  firewall_rule "postgresql replica #{replica[:hostname]}" do
+    port        5432
+    protocol    :tcp
+    command     :allow
+    source replica[:ipaddress]
+  end
+end

site-cookbooks/kosmos-postgresql/recipes/replica.rb

@@ -70,7 +70,7 @@ systemctl start #{postgresql_service}
   node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true
 
   unless node.chef_environment == "development"
-    include_recipe "firewall"
+    include_recipe "kosmos-base::firewall"
 
     firewall_rule "postgresql primary #{primary[:hostname]}" do
       port        5432

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -159,7 +159,3 @@ nginx_site domain do
 end
 
 nginx_certbot_site domain
-
-unless node.chef_environment == "development"
-  include_recipe "firewall"
-end

site-cookbooks/sockethub/recipes/_firewall.rb

@@ -25,7 +25,8 @@
 # THE SOFTWARE.
 
 unless node.chef_environment == "development"
-  include_recipe "firewall"
+  include_recipe "kosmos-base::firewall"
+
   firewall_rule 'sockethub' do
     port     node['sockethub']['external_port'].to_i
     protocol :tcp