Improve firewall config for connections from Jenkins agents to the orchestrator and other services

This is how Jenkins agents currently access the orchestrator:

Connection	URL	URL Source
First connection	http://jenkins.${::domain}:8080	configured in the Systemd service unit file
Subsequent connections	https://jenkins.tails.boum.org	uses URL provided by Jenkins

Currently, our Jenkins Agent VMs resolve:

• jenkins.tails.boum.org → 192.168.122.1 (using /etc/hosts)

In order for that to work, we have the following extra configs in place:

• Jenkins agents firewall:
  • 192.168.122.1:80 → 192.168.122.6:1180
  • 192.168.122.1:443 → 192.168.122.6:11443
  • 192.168.122.1:8080 → 192.168.122.11:8080
  • 192.168.122.1:42585 → 192.168.122.11:42585
  • 192.168.122.1:3004 → 192.168.122.2:22 (puppet-git.lizard)
  • 192.168.122.1:3006 → 192.168.122.14:22 (misc.lizard)
• www.lizard Nginx config:
  • Unauth access to Jenkins on ports 1180 and 11443.

Let's try to come up with an improved way of resolving names and routing VMs to services to have less manually configured exceptions and make the setup more maintainable.