127 lines
3.3 KiB
Django/Jinja
127 lines
3.3 KiB
Django/Jinja
#!/bin/bash
|
|
# provisioning {{provisioning_vers}} UpCloud firewall and security rules: {{now}}
|
|
{%- if debug and debug == "yes" %} set -x {% endif %}
|
|
[ -z "$UPCLOUD_USERNAME" ] && [ ! -r "$HOME/.config/upctl.yaml" ] && echo "UpCloud credentials not found" && exit 1
|
|
|
|
{# Validate prerequisites #}
|
|
{%- if firewalls and firewalls|length > 0 %}
|
|
|
|
echo "=== Configuring UpCloud Firewall Rules ==="
|
|
{%- for firewall in firewalls %}
|
|
{%- if firewall.name %}
|
|
|
|
# Configure firewall: {{ firewall.name }}
|
|
echo ""
|
|
echo "Configuring firewall rules for: {{ firewall.name }}"
|
|
|
|
{%- if firewall.rules and firewall.rules|length > 0 %}
|
|
{%- for rule in firewall.rules %}
|
|
|
|
# Firewall rule: {{ rule.direction | default('in') }} {{ rule.protocol | default('tcp') }} {{ rule.port | default('any') }}
|
|
{%- if rule.direction == 'out' or rule.direction == 'egress' %}
|
|
|
|
# Egress rule (outbound traffic)
|
|
upctl firewall rule create \
|
|
--firewall-policy-default-action "{{ rule.action | default('accept') }}" \
|
|
{%- if rule.comment %} \
|
|
--comment "{{ rule.comment }}" \
|
|
{%- endif -%}
|
|
{%- if server and server.hostname %} \
|
|
"{{ server.hostname }}" \
|
|
{%- endif %}
|
|
|
|
{%- else %}
|
|
|
|
# Ingress rule (inbound traffic)
|
|
upctl server firewall rule create \
|
|
--direction in \
|
|
--action "{{ rule.action | default('accept') }}" \
|
|
--protocol "{{ rule.protocol | default('tcp') }}" \
|
|
{%- if rule.port and rule.port != 'any' %} \
|
|
--destination-port-start {{ rule.port }} \
|
|
--destination-port-end {{ rule.port }} \
|
|
{%- elif rule.port_start and rule.port_end %} \
|
|
--destination-port-start {{ rule.port_start }} \
|
|
--destination-port-end {{ rule.port_end }} \
|
|
{%- endif -%}
|
|
{%- if rule.source_ips %} \
|
|
--source-address "{{ rule.source_ips | join(',') }}" \
|
|
{%- endif -%}
|
|
{%- if rule.comment %} \
|
|
--comment "{{ rule.comment }}" \
|
|
{%- endif -%}
|
|
{%- if server and server.hostname %} \
|
|
"{{ server.hostname }}" \
|
|
{%- endif %}
|
|
|
|
{%- endif %}
|
|
|
|
{%- endfor %}
|
|
{%- else %}
|
|
|
|
echo "No rules defined for firewall {{ firewall.name }}"
|
|
|
|
{%- endif %}
|
|
|
|
{%- if firewall.apply_to and firewall.apply_to|length > 0 %}
|
|
|
|
# Apply firewall to servers
|
|
{%- for target in firewall.apply_to %}
|
|
|
|
echo "Applying firewall rules to: {{ target }}"
|
|
if upctl server show "{{ target }}" >/dev/null 2>/dev/null ; then
|
|
echo "✅ Firewall rules applied to {{ target }}"
|
|
else
|
|
echo "⚠️ Server {{ target }} not found for firewall application"
|
|
fi
|
|
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
|
|
{%- if firewall.rules|length > 0 %}
|
|
|
|
echo "✅ Firewall {{ firewall.name }} configured with {{ firewall.rules|length }} rules"
|
|
|
|
{%- endif %}
|
|
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
|
|
echo ""
|
|
echo "=== Firewall Configuration Complete ==="
|
|
{%- else %}
|
|
|
|
echo "No firewalls defined for this configuration"
|
|
|
|
{%- endif %}
|
|
|
|
# Additional security settings
|
|
{%- if security_policy %}
|
|
|
|
echo ""
|
|
echo "=== Applying Additional Security Policy ==="
|
|
|
|
{%- if security_policy.enable_host_protection %}
|
|
|
|
# Enable host protection features
|
|
echo "Enabling host protection..."
|
|
|
|
{%- endif %}
|
|
|
|
{%- if security_policy.ssh_keys %}
|
|
|
|
# Configure SSH key restrictions
|
|
echo "Setting up SSH key restrictions..."
|
|
|
|
{%- endif %}
|
|
|
|
{%- if security_policy.require_authentication %}
|
|
|
|
# Require authentication for all operations
|
|
echo "Enabling authentication requirements..."
|
|
|
|
{%- endif %}
|
|
|
|
echo "✅ Security policy applied"
|
|
|
|
{%- endif %}
|