Bonjour,
The firewall in ansible for securedrop-club uses a single security group and opens everything it needs for every possible (icinga, bind, postfix etc.) when the VMs are created. This is bad design and I propose it is refactored with a firewall role that can be used by a playbook to open specific ports. For instance the bind playbook would be:
-
name: configure firewall
hosts: localhost
connection: local
gather_facts: Falseroles:
- role: firewall
os_security_group_udp: [ 53 ]
- role: firewall
-
name: setup DNS server
hosts: [ ‘bind_group’ ]
become: Trueroles:
- role: bertvv.bind
bind_allow_query:
…
- role: bertvv.bind
The benefit is that the firewall is configured by the playbook that needs it.
I also propose that we have two security groups securedrop-club for ports open to other VMs in the same tenant (with remote_group: securedrop-club) and securedrop-club-external for ports open to the net (with remote_ip_prefix: 0.0.0.0/0).
Cheers