X-Git-Url: https://git.friedersdorff.com/?a=blobdiff_plain;f=states%2Fglocker%2Finit.sls;fp=states%2Fglocker%2Finit.sls;h=a50749168e2c29b20d5e4bdc171a3a03179bbc04;hb=5cd1e37f26d65c20b86ecb231119354f65e2db22;hp=0000000000000000000000000000000000000000;hpb=baf82eea366408c38870c92bc2de8f0ae7858250;p=max%2Fsaltfiles.git

diff --git a/states/glocker/init.sls b/states/glocker/init.sls
new file mode 100644
index 0000000..a507491
--- /dev/null
+++ b/states/glocker/init.sls
@@ -0,0 +1,50 @@
+glocker chain:
+  iptables.chain_present:
+    - name: glocker
+    - table: filter
+
+accept glocker-except:
+  iptables.insert:
+    - table: filter
+    - chain: glocker
+    - jump: ACCEPT
+    - match-set: glocker-except dst
+    - position: 1
+
+allow uid 40000-50000:
+  iptables.insert:
+    - table: filter
+    - chain: glocker
+    - jump: ACCEPT
+    - match: owner
+    - uid-owner: 40000-50000
+    - position: 2
+
+reject glocker:
+  iptables.insert:
+    - table: filter
+    - chain: glocker
+    - jump: REJECT
+    - reject-with: icmp-port-unreachable
+    - match-set: glocker dst
+    - position: 3
+
+jump to glocker:
+  iptables.insert:
+    - table: filter
+    - chain: OUTPUT
+    - jump: glocker
+    - position: 1
+
+glocker cron job:
+  file.managed:
+    - name: /etc/cron.hourly/glocker
+    - source: salt://glocker/files/cronjob
+    - user: root
+    - group: root
+    - mode: 750
+
+ensure allowed_hosts file exists:
+  file.touch:
+    - name: /etc/glocker/allowed_hosts
+    - makedirs: True