summaryrefslogtreecommitdiffstats
path: root/pillar/global
Commit message (Collapse)AuthorAgeFilesLines
* fix firewalld not updating interfacesPratyush Desai2024-06-191-0/+1
| | | | Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
* Manage backend firewall zoneimport-denc-webclusterGeorg Pfuetzenreuter2023-02-121-0/+4
| | | | | | | Configure backend firewall zones if applicable. Allow all UDP for cluster traffic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Refactor map/macro sourcingGeorg Pfuetzenreuter2023-01-304-101/+2
| | | | | | | | - move pillar macros and map to base directory - move listener logic from macro to map - update includes respectively Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Set firewalld short zone namesGeorg Pfuetzenreuter2023-01-291-2/+2
| | | | | | To match the SUSE defaults deployed by our AutoYaST configuration. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Allow IPv6-only interfaces + fixupGeorg Pfuetzenreuter2023-01-291-1/+3
| | | | | | | - interfaces with no IPv4 address would cause a render failure - repair if-clause needed for interfaces with only IPv4 addresses Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Firewall interface mapping logicGeorg Pfuetzenreuter2023-01-293-0/+84
| | | | | | | | | Detect which interfaces belong to which zones, and configure firewalld accordingly. Backend zone is currently only prepared and yet to be tested and enabled. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine interfacesGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | | | Needed for firewall interface-zone mapping logic. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage common firewalld rulesGeorg Pfuetzenreuter2023-01-292-0/+13
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Enable SSH bannerGeorg Pfuetzenreuter2023-01-291-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Listeners macro: skip on empty mineGeorg Pfuetzenreuter2023-01-281-4/+6
| | | | | | | | | | Don't fail if mine does not contain information about the queried minion. In the future it would be nice to add another conditional to allow such minions to fall-back to the locally executed network module for masterless setups. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Listeners macro: use mined addressesGeorg Pfuetzenreuter2023-01-281-2/+3
| | | | | | | The network module run on the Salt master, but the macro should fetch minion addresses. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine IPv6 addressesGeorg Pfuetzenreuter2023-01-281-0/+1
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Mine IP addressesGeorg Pfuetzenreuter2023-01-281-0/+3
| | | | | | Add Salt mine configuration to collect minion IP addresses. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Relay via static zz0.email hostGeorg Pfuetzenreuter2023-01-271-0/+1
| | | | | | | | Split horizon for the complete .email zone is not feasible for all sites, and TLS certificate currently does not cover any of the internal hostnames. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Manage common SSH serverGeorg Pfuetzenreuter2023-01-263-0/+49
| | | | Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* mta.postfix->global.mta pillar; remove mta profileGeorg Pfuetzenreuter2023-01-262-1/+29
| | | | | | | This is more a MTA configuration for system email on all hosts instead of a dedicated email server role. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
* Move common to global pillarGeorg Pfuetzenreuter2023-01-261-0/+13
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>