--- # Define resources for this group of hosts here. lvm_size: 20000 mem_size: 8192 num_cpus: 4 # # allow incoming openvpn and smtp # tcp_ports: [ 25, 1194 ] udp_ports: [ 1194 ] # # drop incoming traffic from less trusted vpn hosts # allow ntp from internal phx2 10 nets # custom_rules: [ '-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT', ] # # allow a bunch of sysadmin groups here so they can access internal stuff # TODO - remove modularity-wg membership here once it is not longer needed: # https://fedorahosted.org/fedora-infrastructure/ticket/5363 fas_client_groups: sysadmin-ask,sysadmin-web,sysadmin-main,sysadmin-cvs,sysadmin-build,sysadmin-noc,sysadmin-releng,sysadmin-dba,sysadmin-hosted,sysadmin-tools,sysadmin-spin,sysadmin-cloud,fi-apprentice,sysadmin-darkserver,sysadmin-badges,sysadmin-troubleshoot,sysadmin-qa,sysadmin-centos,sysadmin-ppc,sysadmin-koschei,sysadmin-secondary,sysadmin-fedimg,sysadmin-veteran,sysadmin-mbs,modularity-wg,pungi-devel # # This is a postfix gateway. This will pick up gateway postfix config in base # postfix_group: gateway postfix_transport_filename: transports.gateway # # Set this to get fasclient cron to make the aliases file # fas_aliases: true # # Sometimes there are lots of postfix processes # nrpe_procs_warn: 1100 nrpe_procs_crit: 1200 # These variables are pushed into /etc/system_identification by the base role. # Groups and individual hosts should override them with specific info. # See http://infrastructure.fedoraproject.org/csi/security-policy/ csi_security_category: High csi_primary_contact: sysadmin-main admin@fedoraproject.org csi_purpose: SSH proxy to access infrastructure not exposed to the web csi_relationship: | - Provides ssh access to all phx2/vpn connected servers. - Bastion is the hub for all infrastructure's VPN connections. - All incoming SMTP from phx2 and VPN, as well as outgoing SMTP, pass or are filtered here. - Bastion does not accept any mail outside phx2/vpn.