gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DEV-607: added missing ufw rules + added automationgit statusgit status

Browse Source
qa
friedrich goerz 3 years ago
parent 8146179308
commit 62a6478060
2 changed files with 73 additions and 42 deletions
Show Stats Download Patch File Download Diff File

99
.gitlab-ci.yml
Unescape Escape View File

@ -93,28 +93,6 @@ builder-job:
except:
- schedules
run-setup-digitalocean:
extends: .run-ansible
stage: run-setup
before_script:
- export STAGE=dev
- echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
script:
- 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
- mkdir -p ~/.ssh
- chmod 0700 ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
- ssh-add -L
- ansible-playbook -i stage-digitalocean setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
after_script:
- rm /tmp/vault-pass
only:
- main
except:
- schedules
run-setup-dev:
extends: .run-setup
resource_group: dev
@ -315,23 +293,12 @@ run-patchday-dev:
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
run-patchday-dev-digitalocean:
extends: .run-ansible
stage: run-patchday
run-patchday-devscr:
extends: .run-patchday
resource_group: devscr
before_script:
- echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
script:
- 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
- mkdir -p ~/.ssh
- chmod 0700 ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
- ssh-add -L
- ansible-playbook -i stage-digitalocean patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
after_script:
- rm /tmp/vault-pass
timeout: 2h
- export STAGE=devscr
- echo "${ANSIBLE_VAULT_PASS_DEVSCR}" > /tmp/vault-pass
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
@ -431,3 +398,59 @@ run-patchday-prodwork01:
# - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
# only:
# - prodnso
########
### http://patorjk.com/software/taag/#p=display&f=Doom&t=Digitialocean
###
### ______ _ _ _ _ _
### | _ (_) (_) | (_) | |
### | | | |_ __ _ _| |_ _ __ _| | ___ ___ ___ __ _ _ __
### | | | | |/ _` | | __| |/ _` | |/ _ \ / __/ _ \/ _` | '_ \
### | |/ /| | (_| | | |_| | (_| | | (_) | (_| __/ (_| | | | |
### |___/ |_|\__, |_|\__|_|\__,_|_|\___/ \___\___|\__,_|_| |_|
### __/ |
### |___/
run-setup-digitalocean:
extends: .run-ansible
stage: run-setup
before_script:
- export STAGE=dev
- echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
script:
- 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
- mkdir -p ~/.ssh
- chmod 0700 ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
- ssh-add -L
- ansible-playbook -i stage-digitalocean setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
- ansible-playbook -i stage-digitalocean external_monitoring.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
after_script:
- rm /tmp/vault-pass
only:
- main
except:
- schedules
run-patchday-dev-digitalocean:
extends: .run-ansible
stage: run-patchday
before_script:
- echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
script:
- 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
- eval $(ssh-agent -s)
- 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
- mkdir -p ~/.ssh
- chmod 0700 ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
- ssh-add -L
- ansible-playbook -i stage-digitalocean patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
after_script:
- rm /tmp/vault-pass
timeout: 2h
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"

16
external_monitoring.yml
Unescape Escape View File

@ -2,18 +2,26 @@
- name: 'apply setup to {{ host | default("all") }}'
hosts: '{{ host | default("all") }}'
serial: "{{ serial_number | default(5) }}"
become: yes
tasks:
- set_fact:
promethues_endpoints_all_stages:
- name: "Set VARs"
set_fact:
prometheus_endpoints_all_stages:
- "{{ lookup('community.general.dig', 'dev-prometheus-01.' + domain ) }}"
- "{{ lookup('community.general.dig', 'qa-prometheus-01.' + domain ) }}"
- "{{ lookup('community.general.dig', 'prodnso-prometheus-01.' + domain ) }}"
k8s_nodes_mobene:
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-01.' + domain ) }}"
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-02.' + domain ) }}"
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-03.' + domain ) }}"
- name: "Allow SSH in UFW"
ufw:
rule: limit
port: 22
proto: tcp
src: "{{ item }}"
loop: "{{ ip_whitelist }}"
- name: "Allow port 9100 for node-exporter in UFW"
ufw:
@ -21,7 +29,7 @@
port: 9100
proto: tcp
src: "{{ item }}"
loop: "{{ promethues_endpoints_all_stages }}"
loop: "{{ prometheus_endpoints_all_stages }}"
- name: "Allow port 9115 for blackbox-exporter in UFW"
ufw:
@ -29,7 +37,7 @@
port: 9115
proto: tcp
src: "{{ item }}"
loop: "{{ promethues_endpoints_all_stages + ip_whitelist_admins}}"
loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + ip_whitelist_admins + k8s_nodes_mobene }}"
- name: "Set firewall default policy"
ufw:

Write Preview
Loading…
Cancel
Save