nodes/redis-1.json

@@ -43,6 +43,7 @@
       "redisio::disable_os_default",
       "redisio::configure",
       "redisio::enable",
+      "kosmos_redis::firewall",
       "backup::default",
       "logrotate::default"
     ],

roles/redis_server.rb

@@ -1,7 +1,18 @@
 name "redis_server"
 
-run_list %w(
+default_run_list = %w(
   kosmos_redis::default
 )
 
+production_run_list = %w(
+  kosmos_redis::default
+  kosmos_redis::firewall
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => production_run_list
+)
+
 default_attributes({})

site-cookbooks/kosmos_redis/metadata.rb

@@ -8,3 +8,4 @@ version          '0.2.0'
 
 depends 'redisio'
 depends 'backup'
+depends 'kosmos-base'

site-cookbooks/kosmos_redis/recipes/default.rb

@@ -7,6 +7,8 @@ include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
 
 unless node.chef_environment == "development"
+  include_recipe "kosmos_redis::firewall"
+
   # Backup the databases to S3
   databases = node['redisio']['servers'].map do |server, _|
     "dump-#{server['port']}"

site-cookbooks/kosmos_redis/recipes/firewall.rb

@@ -0,0 +1,17 @@
+#
+# Cookbook Name:: kosmos_redis
+# Recipe:: firewall
+#
+
+include_recipe "kosmos-base::firewall"
+
+ports = node['redisio']['servers'].map do |server, _|
+  server['port']
+end
+
+firewall_rule "redis" do
+  port     ports
+  source   "10.1.1.0/24" # zerotier
+  protocol :tcp
+  command  :allow
+end