diff --git a/site-cookbooks/kosmos-base/recipes/default.rb b/site-cookbooks/kosmos-base/recipes/default.rb index 9ee8ab8..d5df463 100644 --- a/site-cookbooks/kosmos-base/recipes/default.rb +++ b/site-cookbooks/kosmos-base/recipes/default.rb @@ -64,7 +64,7 @@ unless node.chef_environment == "development" ] end - include_recipe 'kosmos-base::firewall' + include_recipe "kosmos-base::firewall" include_recipe 'kosmos-postfix' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb b/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb new file mode 100644 index 0000000..f1018d1 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb @@ -0,0 +1,32 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# + +firewall_rule 'bitcoind' do + port [8333] # TODO adjust for testnet + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/source.rb index d93f004..0d60853 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/source.rb @@ -158,9 +158,4 @@ systemd_unit 'bitcoind.service' do action [:create, :enable, :start] end -# TODO move to custom kosmos cookbook before publishing bitcoin cookbook -firewall_rule 'bitcoind' do - port [8333] # TODO adjust for testnet - protocol :tcp - command :allow -end +include_recipe "kosmos-bitcoin::firewall" diff --git a/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb b/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb index 4a47729..621161e 100644 --- a/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb +++ b/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb @@ -25,7 +25,8 @@ end nginx_certbot_site server_name unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" + firewall_rule "btcpayserver" do port node["kosmos-btcpayserver"]["port"] protocol :tcp diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb index 2f189df..6bcb871 100644 --- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb +++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb @@ -37,14 +37,9 @@ end # with the run context is confusing: # # https://github.com/chef-cookbooks/firewall/issues/134 -unless node.chef_environment == "development" - include_recipe "firewall" - firewall_rule "ldap" do - port [389, 636] - protocol :tcp - command :allow - end +include_recipe "kosmos-dirsrv::firewall" +unless node.chef_environment == "development" # backup the data dir and the config files node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"] include_recipe "backup" diff --git a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb new file mode 100644 index 0000000..b466666 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: kosmos-dirsrv +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "ldap" do + port [389, 636] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 0cde474..01225cb 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -219,35 +219,7 @@ service "ejabberd" do end unless node.chef_environment == "development" - firewall_rule 'ejabberd' do - port [5222, 5223, 5269, 5443] - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_cluster' do - port [4369] - protocol :tcp - command :allow - end - - firewall_rule 'erlang_cluster' do - port [4200..4210] - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_stun_turn' do - port 3478 - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_turn' do - port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] - protocol :tcp - command :allow - end + include_recipe "kosmos-ejabberd::firewall" end # diff --git a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb new file mode 100644 index 0000000..5d2ac3a --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb @@ -0,0 +1,57 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "ejabberd" do + port [5222, 5223, 5269, 5443] + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_cluster' do + port [4369] + protocol :tcp + command :allow +end + +firewall_rule 'erlang_cluster' do + port [4200..4210] + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_stun_turn' do + port 3478 + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_turn' do + port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/attributes/default.rb b/site-cookbooks/kosmos-ipfs/attributes/default.rb index bce7a81..860fb87 100644 --- a/site-cookbooks/kosmos-ipfs/attributes/default.rb +++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb @@ -17,6 +17,7 @@ node.default['kosmos-ipfs']['ipfs']['config'] = { node.default['kosmos-ipfs']['nginx']['api_port'] = 5001 node.default['kosmos-ipfs']['nginx']['gateway_port'] = 9090 node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444 +node.default['kosmos-ipfs']['nginx']['swarm_p2p_port'] = 4001 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org" node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v1.0.2" diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb index 202faf4..b642a8c 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/default.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb @@ -34,10 +34,5 @@ node['kosmos-ipfs']['ipfs']['config'].each do |k, v| end unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule 'ipfs_swarm_p2p' do - port 4001 - protocol :tcp - command :allow - end + include_recipe "kosmos-ipfs::firewall_swarm" end diff --git a/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb new file mode 100644 index 0000000..116c436 --- /dev/null +++ b/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb @@ -0,0 +1,32 @@ +# +# Cookbook Name:: kosmos-ipfs +# Recipe:: firewall_public_gateway +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'firewall' +firewall_rule 'ipfs_api' do + port node['kosmos-ipfs']['nginx']['external_api_port'] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb b/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb new file mode 100644 index 0000000..056d288 --- /dev/null +++ b/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb @@ -0,0 +1,32 @@ +# +# Cookbook Name:: kosmos-ipfs +# Recipe:: firewall_swarm +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'firewall' +firewall_rule 'ipfs_swarm_p2p' do + port node['kosmos-ipfs']['nginx']['swarm_p2p_port'] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb index 3ed5fe1..7d9927f 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb @@ -49,10 +49,5 @@ end nginx_certbot_site domain unless node.chef_environment == "development" - include_recipe "firewall" - firewall_rule 'ipfs_api' do - port node['kosmos-ipfs']['nginx']['external_api_port'] - protocol :tcp - command :allow - end + include_recipe "kosmos-ipfs::firewall_public_gateway" end diff --git a/site-cookbooks/kosmos-nginx/recipes/default.rb b/site-cookbooks/kosmos-nginx/recipes/default.rb index 87f386f..c01301e 100644 --- a/site-cookbooks/kosmos-nginx/recipes/default.rb +++ b/site-cookbooks/kosmos-nginx/recipes/default.rb @@ -84,11 +84,5 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do end unless node.chef_environment == "development" - include_recipe 'kosmos-base::firewall' - - firewall_rule 'http/https' do - port [80, 443] - protocol :tcp - command :allow - end + include_recipe "kosmos-nginx::firewall" end diff --git a/site-cookbooks/kosmos-nginx/recipes/firewall.rb b/site-cookbooks/kosmos-nginx/recipes/firewall.rb new file mode 100644 index 0000000..ca6cbe2 --- /dev/null +++ b/site-cookbooks/kosmos-nginx/recipes/firewall.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: kosmos-nginx +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "http/https" do + port [80, 443] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-nginx/recipes/with_perl.rb b/site-cookbooks/kosmos-nginx/recipes/with_perl.rb index bac0223..5be4fda 100644 --- a/site-cookbooks/kosmos-nginx/recipes/with_perl.rb +++ b/site-cookbooks/kosmos-nginx/recipes/with_perl.rb @@ -23,11 +23,5 @@ cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do end unless node.chef_environment == "development" - include_recipe 'kosmos-base::firewall' - - firewall_rule 'http/https' do - port [80, 443] - protocol :tcp - command :allow - end + include_recipe 'kosmos-nginx::firewall' end diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb index c7d289b..b3c9f4f 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/default.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb @@ -76,14 +76,8 @@ postgresql_replicas.each do |replica| notifies :reload, "service[#{postgresql_service}]", :immediately end - unless node.chef_environment == "development" - include_recipe "firewall" - - firewall_rule "postgresql replica #{replica[:hostname]}" do - port 5432 - protocol :tcp - command :allow - source replica[:ipaddress] - end - end +end + +unless node.chef_environment == "development" + include_recipe "kosmos-postgresql::firewall_replicas" end diff --git a/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb b/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb new file mode 100644 index 0000000..0ad0a47 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb @@ -0,0 +1,36 @@ +# +# Cookbook:: kosmos-postgresql +# Recipe:: firewall_replicas +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +postgresql_replicas.each do |replica| + firewall_rule "postgresql replica #{replica[:hostname]}" do + port 5432 + protocol :tcp + command :allow + source replica[:ipaddress] + end +end diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos-postgresql/recipes/replica.rb index b063edf..651b18a 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/replica.rb @@ -70,7 +70,7 @@ systemctl start #{postgresql_service} node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" firewall_rule "postgresql primary #{primary[:hostname]}" do port 5432 diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 2cc43c5..724572e 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -159,7 +159,3 @@ nginx_site domain do end nginx_certbot_site domain - -unless node.chef_environment == "development" - include_recipe "firewall" -end diff --git a/site-cookbooks/sockethub/recipes/_firewall.rb b/site-cookbooks/sockethub/recipes/_firewall.rb index 0c46c53..dd61637 100644 --- a/site-cookbooks/sockethub/recipes/_firewall.rb +++ b/site-cookbooks/sockethub/recipes/_firewall.rb @@ -25,7 +25,8 @@ # THE SOFTWARE. unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" + firewall_rule 'sockethub' do port node['sockethub']['external_port'].to_i protocol :tcp