create a hardened bastion host for the cymru management network
in #40097 (closed), we setup a network for management but currently all nodes have access to it. we should restrict this to only a subset, and create a hardened host (or a Ganeti instance?) that has access to this, but is only accessible through ipsec.
Next steps are:
renumber iDRACs to point to a floating IP (say
172.30.140.100/24) as a gateway, instead of the current, which is the iDRAC of
172.30.140.10) so that routing works correctly
- configure two chi-node-X machines (or an instance spread over those two?) with that IP, in Puppet
investigate alternatives to packet forwarding or, failing that, configure routing on that node (
- allow access to the VLAN to only those two chi-node-X machines
- restrict usage of those boxes?