ansible: migrate to nftables

- set `bootstrap__firewall_nftables` var to true - adjust `open_ports_list` to match the structure needed to run firewall role changes applied to all hosts in test and sandbox environment of infra-waku related to : status-im/infra-misc#301
status-im · Sep 4, 2024 · 0c345a9 · 0c345a9
1 parent 5167382
commit 0c345a9
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 11 deletions.
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
@@ -1,6 +1,9 @@
 ---
 # Root password
 bootstrap__root_pass: '{{lookup("bitwarden", "root-pass")}}'
+# Migrated to NFTables from IPTables.
+# https://github.com/status-im/infra-misc/issues/301
+bootstrap__firewall_nftables: true
 # Consul
 bootstrap__consul_encryption_key:   '{{lookup("bitwarden", "consul/cluster",    field="encryption-key")}}'
 bootstarp__consul_agent_acl_token:  '{{lookup("bitwarden", "consul/acl-tokens", field="agent-default")}}'

diff --git a/ansible/group_vars/node-db.yml b/ansible/group_vars/node-db.yml
@@ -17,9 +17,9 @@ postgres_ha_databases:
 
 postgres_ha_backup: false
 
+
 # Open PostgreSQL Port
 open_ports_default_comment: '{{ postgres_ha_service_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
 open_ports_list:
-  - { port: '{{ postgres_ha_cont_port }}', ipset: '{{ env }}.{{ stage }}' }
+   postgres: 
+    - { port: '{{ postgres_ha_cont_port }}', ipset: '{{ env }}.{{ stage }}', iifname: 'wg0' }
diff --git a/ansible/group_vars/node.yml b/ansible/group_vars/node.yml
@@ -88,15 +88,14 @@ conn_limit_limit: 20
 conn_limit_dport: '{{ nim_waku_websock_port }}'
 
 # Open LibP2P Ports
-open_ports_default_comment: '{{ nim_waku_cont_name }}'
-open_ports_default_chain: 'SERVICES'
-open_ports_default_protocol: 'tcp'
 open_ports_list:
-  - { port: '80', comment: 'Nginx and Certbot' }
-  - { port: '{{ nim_waku_p2p_tcp_port }}' }
-  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
-  - { port: '{{ nim_waku_websock_port }}' }
-  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
+  nginx:
+    - { port: '80', comment: 'Nginx and Certbot' }
+  nim-waku:  
+    - { port: '{{ nim_waku_p2p_tcp_port }}', comment: 'libp2p' }
+    - { port: '{{ nim_waku_disc_v5_port }}', comment: 'discovery v5', protocol: 'udp' }
+    - { port: '{{ nim_waku_websock_port }}', comment: 'websocket' }
+    - { port: '{{ nim_waku_metrics_port }}', comment: 'metrics', ipset: 'metrics.hq', iifname: 'wg0' }
 
 # Public Config file access
 nginx_sites: