From dc9a3a072530f67af655c966b7c30c93aed04932 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 31 Jan 2025 17:01:03 +0000 Subject: [PATCH] Limit access to hosts that have sssd running --- group_vars/adm.yml | 3 +++ group_vars/mail.yml | 4 ++++ group_vars/nas.yml | 3 +++ group_vars/nms.yml | 3 +++ group_vars/print.yml | 3 +++ group_vars/shell.yml | 5 +++-- group_vars/static.yml | 3 +++ 7 files changed, 22 insertions(+), 2 deletions(-) diff --git a/group_vars/adm.yml b/group_vars/adm.yml index 0a9a22a..a06d51b 100644 --- a/group_vars/adm.yml +++ b/group_vars/adm.yml @@ -7,3 +7,6 @@ firewall_in: - {proto: tcp, port: 80, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - sysadm diff --git a/group_vars/mail.yml b/group_vars/mail.yml index ebf99cb..4de52d0 100644 --- a/group_vars/mail.yml +++ b/group_vars/mail.yml @@ -2,6 +2,7 @@ datadisks: - {size: 10, type: nvme} mem_size: 4192 + firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 25} @@ -11,3 +12,6 @@ firewall_in: - {proto: tcp, port: 587} - {proto: tcp, port: 993} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - sysadm diff --git a/group_vars/nas.yml b/group_vars/nas.yml index 18f29d9..5dac726 100644 --- a/group_vars/nas.yml +++ b/group_vars/nas.yml @@ -10,3 +10,6 @@ firewall_in: - {proto: tcp, port: 2049, from: [172.20.20.0/22]} - {proto: tcp, port: 2049, from: [172.20.30.0/24]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - root diff --git a/group_vars/nms.yml b/group_vars/nms.yml index bdfe2a9..b05d9f0 100644 --- a/group_vars/nms.yml +++ b/group_vars/nms.yml @@ -33,3 +33,6 @@ firewall_in: firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + +sssd_allow_groups: + - sysadm diff --git a/group_vars/print.yml b/group_vars/print.yml index 469cb94..27c7c02 100644 --- a/group_vars/print.yml +++ b/group_vars/print.yml @@ -22,3 +22,6 @@ firewall_in: firewall_raw: - "-A INPUT -i eth1 -d 224.0.0.0/8 -j ACCEPT" - "-A INPUT -i eth1 -p vrrp -j ACCEPT" + +sssd_allow_groups: + - sysadm diff --git a/group_vars/shell.yml b/group_vars/shell.yml index f61151a..6300cab 100644 --- a/group_vars/shell.yml +++ b/group_vars/shell.yml @@ -1,6 +1,4 @@ --- - -# beef up shell hosts dsk_size: 40 mem_size: 8192 num_cpus: 4 @@ -13,3 +11,6 @@ firewall_in: ssh_hostnames: - shell.foo.sh + +sssd_allow_groups: + - foosh diff --git a/group_vars/static.yml b/group_vars/static.yml index a6636ac..f211563 100644 --- a/group_vars/static.yml +++ b/group_vars/static.yml @@ -3,3 +3,6 @@ firewall_in: - {proto: tcp, port: 22, from: [172.20.20.0/22]} - {proto: tcp, port: 443, from: [172.20.20.0/22]} - {proto: tcp, port: 9100, from: [172.20.20.0/22]} + +sssd_allow_groups: + - root