Timotej Lazar
25bcddede1
Consolidate base system and networking setup into debian role and BGP configuration into frr role. Add facts role to collect data from NetBox once to avoid many slow lookups. Also many other tweaks and cleanups.
24 lines
1 KiB
Django/Jinja
24 lines
1 KiB
Django/Jinja
[OPTIONS]
|
|
|
|
enable: 1
|
|
|
|
[RULES]
|
|
|
|
IN Ping(ACCEPT) -log nolog # don’t be rude
|
|
IN SSH(ACCEPT) -i mgmt # for ansible etc.
|
|
IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 4) | map(attribute='address') | join(',') }} # my cluster
|
|
IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 6) | map(attribute='address') | join(',') }} # my cluster
|
|
{% for service in cluster.custom_fields.services %}
|
|
{% set prefixes = service | allowed_prefixes %}
|
|
{% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map('string') %}
|
|
{% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map('string') %}
|
|
{% set ports = service.ports | compact_numlist(range_delimiter=':') %}
|
|
{% if prefixes4 %}
|
|
IN ACCEPT -source {{ prefixes4 | join(',') }} -p {{ service.protocol }} -dport {{ ports }} # {{ service.name }}
|
|
{% endif %}
|
|
{% if prefixes6 %}
|
|
IN ACCEPT -source {{ prefixes6 | join(',') }} -p {{ service.protocol }} -dport {{ ports }} # {{ service.name }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|