crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[docker] Add firewall between Docker containers and adm network 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
certbot_on_virtu
Yohann D'ANELLO 2021-06-21 10:41:45 +02:00
parent b8e0653b3f
commit 3d0f7a5f5f
Signed by: _ynerant
GPG Key ID: 3A75C55819C8CF85
6 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
group_vars/docker.yml 100644
View File

@ -0,0 +1,4 @@
---
glob_docker:
dns_network: 172.16.10.100/30
adm_network: 172.16.0.0/16

6
hosts
View File

@ -47,6 +47,9 @@ vsftpd
[dhcp:children] [dhcp:children]
routeurs_vm routeurs_vm
[docker:children]
gitlab_runner
[django_cas] [django_cas]
cas.adm.crans.org cas.adm.crans.org
@ -85,6 +88,9 @@ neree.adm.crans.org
[gitlab] [gitlab]
gitzly.adm.crans.org gitzly.adm.crans.org
[gitlab_runner]
gitlab-ci.adm.crans.org
[grafana] [grafana]
monitoring.adm.crans.org monitoring.adm.crans.org

4
plays/gitlab.yml
View File

@ -1,7 +1,9 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Deploy Gitlab CI # Deploy Gitlab CI
- hosts: gitlab-ci.adm.crans.org - hosts: gitlab_runner
vars:
docker: '{{ glob_docker | default({}) | combine(loc_docker | default({})) }}'
roles: roles:
- docker - docker
- gitlab-runner - gitlab-runner

6
roles/docker/handlers/main.yml 100644
View File

@ -0,0 +1,6 @@
---
- name: Restart Docker
systemd:
name: docker
daemon_reload: true
state: restarted

9
roles/docker/tasks/main.yml
View File

@ -43,3 +43,12 @@
register: apt_result register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
- name: Protect adm from Docker containers
template:
src: systemd/system/docker.service.d/override.conf.j2
dest: /etc/systemd/system/docker.service.d/override.conf
owner: root
group: root
mode: 0644
notify: Restart Docker

4
roles/docker/templates/systemd/system/docker.service.d/override.conf.j2 100644
View File

@ -0,0 +1,4 @@
[Service]
# Allow domain resolution, don't use adm network for anything else
ExecStartPost=/bin/sh -c "/usr/sbin/iptables -I FORWARD 1 -i docker0 -d {{ docker.dns_network }} -p udp --dport 53 -j ACCEPT; /usr/sbin/iptables -I FORWARD 2 -d {{ docker.adm_network }} -i docker0 -j REJECT --reject-with icmp-port-unreachable"
ExecStopPost=/usr/sbin/iptables --flush FORWARD