boot,store,store-db: switch to nftables

status-im/infra-misc#301
status-im · Sep 12, 2024 · f8c8dac · f8c8dac
1 parent 901a62f
commit f8c8dac
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 24 deletions.
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
@@ -1,4 +1,6 @@
 ---
+bootstrap__firewall_nftables: true
+
 # Root password
 bootstrap__root_pass: '{{lookup("bitwarden", "root-pass")}}'
 # Consul

diff --git a/ansible/group_vars/boot.yml b/ansible/group_vars/boot.yml
@@ -85,16 +85,15 @@ certbot_certs_map:
         - '{{ nim_waku_websocket_domain }}'
         - '{{ nim_waku_websocket_domain | replace("status."+stage, "shards.staging") }}' # Legacy Fleet Name
 
-# Open LibP2P Ports
-open_ports_default_comment: '{{ nim_waku_cont_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
+# Open Nim-Waku Ports
 open_ports_list:
-  - { port: '80', comment: 'Nginx and Certbot' }
-  - { port: '{{ nim_waku_p2p_tcp_port }}' }
-  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
-  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
-  - { port: '{{ nim_waku_websock_port }}' }
+  nginx:
+    - { comment: 'Nginx and Certbot', port: '80' }
+  nim-waku:
+    - { comment: 'Nim-Waku LibP2P',       port: '{{ nim_waku_p2p_tcp_port }}' }
+    - { comment: 'Nim-Waku Discovery v5', port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
+    - { comment: 'Nim-Waku Metrics',      port: '{{ nim_waku_metrics_port }}', ipset: 'metrics.hq', iifname: 'wg0' }
+    - { comment: 'Nim-Waku WebSocket',    port: '{{ nim_waku_websock_port }}' }
 
 # Public Config file access
 nginx_sites:

diff --git a/ansible/group_vars/store-db.yml b/ansible/group_vars/store-db.yml
@@ -66,8 +66,6 @@ postgres_ha_consul_failures_before_warning: 5
 postgres_ha_consul_failures_before_critical: 10
 
 # Open PostgreSQL Port
-open_ports_default_comment: '{{ postgres_ha_service_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
 open_ports_list:
-  - { port: '{{ postgres_ha_cont_port }}', ipset: '{{ env }}.{{ stage }}' }
+  postgres:
+    - { comment: 'PostgreSQL', port: '{{ postgres_ha_cont_port }}', ipset: '{{ env }}.{{ stage }}', iifname: 'wg0' }
diff --git a/ansible/group_vars/store.yml b/ansible/group_vars/store.yml
@@ -92,16 +92,15 @@ certbot_certs_map:
         - '{{ nim_waku_websocket_domain }}'
         - '{{ nim_waku_websocket_domain | replace("status."+stage, "shards.staging") }}' # Legacy Fleet Name
 
-# Open LibP2P Ports
-open_ports_default_comment: '{{ nim_waku_cont_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
+# Open Nim-Waku Ports
 open_ports_list:
-  - { port: '80', comment: 'Nginx and Certbot' }
-  - { port: '{{ nim_waku_p2p_tcp_port }}' }
-  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
-  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
-  - { port: '{{ nim_waku_websock_port }}' }
+  nginx:
+    - { comment: 'Nginx and Certbot', port: '80' }
+  nim-waku:
+    - { comment: 'Nim-Waku LibP2P',       port: '{{ nim_waku_p2p_tcp_port }}' }
+    - { comment: 'Nim-Waku Discovery v5', port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
+    - { comment: 'Nim-Waku Metrics',      port: '{{ nim_waku_metrics_port }}', ipset: 'metrics.hq', iifname: 'wg0' }
+    - { comment: 'Nim-Waku WebSocket',    port: '{{ nim_waku_websock_port }}' }
 
 # Public Config file access
 nginx_sites:

diff --git a/ansible/requirements.yml b/ansible/requirements.yml
@@ -22,8 +22,8 @@
 
 - name: infra-role-certbot
   src: [email protected]:status-im/infra-role-certbot.git
-  version: dfd0bce4e5e2484f9be6f38ca34af92e5461ee8c
+  version: 41e768fe2e9212366c6a33aa8c2e30d0b2832e80
 
 - name: infra-role-postgres-ha
   src: [email protected]:status-im/infra-role-postgres-ha.git
-  version: aa752f40623a7f92ce4a95c40cbbabf815452945
+  version: fbc3376e790c526bb401edb1a6a1ffdc4a4d1ae1