gitlab: Add port forwarding for its SSH service

3d6ba47e · James T. Lee · b68eb351 · 3d6ba47e · 3d6ba47e
Commit 3d6ba47e authored Nov 28, 2020 by James T. Lee
Hide whitespace changes
Inline Side-by-side

Showing with 89 additions and 0 deletions

manifests/lib/port_forward.pp manifests/lib/port_forward.pp +80 -0

manifests/service/gitlab.pp manifests/service/gitlab.pp +9 -0

No files found.
--- a/manifests/lib/port_forward.pp
+++ b/manifests/lib/port_forward.pp
+define nest::lib::port_forward (
+  Stdlib::Port                      $port,
+  Enum['tcp', 'udp']                $proto,
+  Optional[Stdlib::IP::Address::V4] $source_ip4,
+  Optional[Stdlib::IP::Address::V4] $destination_ip4,
+  Optional[Stdlib::IP::Address::V6] $source_ip6,
+  Optional[Stdlib::IP::Address::V6] $destination_ip6,
+) {
+  if $source_ip4 and $destination_ip4 {
+    firewall {
+      default:
+        provider => iptables,
+      ;
+      "100 ${name} dnat (v4)":
+        table       => nat,
+        chain       => 'PREROUTING',
+        destination => $source_ip4,
+        proto       => $proto,
+        dport       => $port,
+        jump        => 'DNAT',
+        todest      => $destination_ip4,
+      ;
+      "100 ${name} (v4)":
+        chain       => 'FORWARD',
+        destination => $destination_ip4,
+        proto       => $proto,
+        dport       => $port,
+        action      => accept,
+      ;
+      "100 ${name} snat (v4)":
+        table       => nat,
+        chain       => 'POSTROUTING',
+        destination => $destination_ip4,
+        proto       => $proto,
+        sport       => $port,
+        jump        => 'SNAT',
+        tosource    => $source_ip4,
+      ;
+    }
+  }
+  if $source_ip6 and $destination_ip6 {
+    firewall {
+      default:
+        provider => ip6tables,
+      ;
+      "100 ${name} dnat (v6)":
+        table       => nat,
+        chain       => 'PREROUTING',
+        destination => $source_ip6,
+        proto       => $proto,
+        dport       => $port,
+        jump        => 'DNAT',
+        todest      => $destination_ip6,
+      ;
+      "100 ${name} (v6)":
+        chain       => 'FORWARD',
+        destination => $destination_ip6,
+        proto       => $proto,
+        dport       => $port,
+        action      => accept,
+      ;
+      "100 ${name} snat (v6)":
+        table       => nat,
+        chain       => 'POSTROUTING',
+        destination => $destination_ip6,
+        proto       => $proto,
+        sport       => $port,
+        jump        => 'SNAT',
+        tosource    => $source_ip6,
+      ;
+    }
+  }
+}
--- a/manifests/service/gitlab.pp
+++ b/manifests/service/gitlab.pp
@@ -53,6 +53,15 @@ class nest::service::gitlab {
    provider => ip6tables,
  }
+  nest::lib::port_forward { 'gitlab ssh':
+    port            => 22,
+    proto           => tcp,
+    source_ip4      => '104.156.227.40',
+    destination_ip4 => '172.18.0.2',
+    source_ip6      => '2001:19f0:300:2005::40',
+    destination_ip6 => 'fc00:18::2',
+  }
  nest::lib::revproxy { 'gitlab.james.tl':
    destination => '172.18.0.2',
    ip          => ['104.156.227.40', '2001:19f0:300:2005::40'],