diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 63d2594..bc1c66a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -18,7 +18,7 @@ stages: - run-kubernetes - run-management-update - run-patchday -# - run-hcloud-firewall + - run-hcloud-firewall lint-job: stage: lint @@ -330,7 +330,6 @@ run-patchday-prodwork01: - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso" - ######## ### http://patorjk.com/software/taag/#p=display&f=Doom&t=patchday.yml ### @@ -344,60 +343,60 @@ run-patchday-prodwork01: ### |______| |___/ ### -#.run-hcloud-firewall: -# extends: .run-ansible -# stage: run-hcloud-firewall -# script: -# - ansible-playbook -e "stage=${STAGE}" hcloud_firewall.yml --vault-password-file /tmp/vault-pass -# after_script: -# - rm /tmp/vault-pass -# except: -# - schedules -# -#run-hcloud-firewall-dev: -# extends: .run-hcloud-firewall -# resource_group: dev -# before_script: -# - export STAGE=dev -# - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass -# only: -# - main -# -#run-hcloud-firewall-devscr: -# extends: .run-hcloud-firewall -# resource_group: devscr -# before_script: -# - export STAGE=devscr -# - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass -# only: -# - main -# -#run-hcloud-firewall-qa: -# extends: .run-hcloud-firewall -# resource_group: qa -# before_script: -# - export STAGE=qa -# - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass -# only: -# - qa -# -#run-hcloud-firewall-prodnso: -# extends: .run-hcloud-firewall -# resource_group: prodnso -# before_script: -# - export STAGE=prodnso -# - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass -# only: -# - prodnso -# -#run-hcloud-firewall-prodwork01: -# extends: .run-hcloud-firewall -# resource_group: prodwork01 -# before_script: -# - export STAGE=prodwork01 -# - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass -# only: -# - prodnso +.run-hcloud-firewall: + extends: .run-ansible + stage: run-hcloud-firewall + script: + - ansible-playbook -e "stage=${STAGE}" hcloud_firewall.yml --vault-password-file /tmp/vault-pass + after_script: + - rm /tmp/vault-pass + except: + - schedules + +run-hcloud-firewall-dev: + extends: .run-hcloud-firewall + resource_group: dev + before_script: + - export STAGE=dev + - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass + only: + - main + +run-hcloud-firewall-devscr: + extends: .run-hcloud-firewall + resource_group: devscr + before_script: + - export STAGE=devscr + - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass + only: + - main + +run-hcloud-firewall-qa: + extends: .run-hcloud-firewall + resource_group: qa + before_script: + - export STAGE=qa + - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass + only: + - qa + +run-hcloud-firewall-prodnso: + extends: .run-hcloud-firewall + resource_group: prodnso + before_script: + - export STAGE=prodnso + - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass + only: + - prodnso + +run-hcloud-firewall-prodwork01: + extends: .run-hcloud-firewall + resource_group: prodwork01 + before_script: + - export STAGE=prodwork01 + - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass + only: + - prodnso ######## diff --git a/group_vars/all/firewall.yml b/group_vars/all/firewall.yml index ec451be..e280f06 100644 --- a/group_vars/all/firewall.yml +++ b/group_vars/all/firewall.yml @@ -59,7 +59,7 @@ hcloud_firewall_objects: direction: in protocol: tcp port: '9080-9085' - source_ips: '{{ ip_whitelist }}' + source_ips: '{{ ip_whitelist + [ lookup("community.general.dig", stage + "-prometheus-01." + domain ) + "/32"] }}' destination_ips: [] description: 'Server/Service Monitoring' - diff --git a/group_vars/stage_devscr/hcloud_firewall.yml b/group_vars/stage_devscr/firewall.yml similarity index 96% rename from group_vars/stage_devscr/hcloud_firewall.yml rename to group_vars/stage_devscr/firewall.yml index 9a9d8d9..2714c69 100644 --- a/group_vars/stage_devscr/hcloud_firewall.yml +++ b/group_vars/stage_devscr/firewall.yml @@ -1,4 +1,5 @@ --- +hcloud_firewall_app_specific_stuff: False hcloud_firewall_objects: - name: "{{ stage }}-default" diff --git a/group_vars/stage_prodnso/backup.yml b/group_vars/stage_prodnso/backup.yml index f6bc30d..52604ae 100644 --- a/group_vars/stage_prodnso/backup.yml +++ b/group_vars/stage_prodnso/backup.yml @@ -1,2 +1,2 @@ backup_lvm_hcloudvol_size: 30 -backup_lvm_hcloudvol_count: 2 +backup_lvm_hcloudvol_count: 3 diff --git a/group_vars/stage_prodwork01/firewall.yml b/group_vars/stage_prodwork01/firewall.yml index 9a9d8d9..2714c69 100644 --- a/group_vars/stage_prodwork01/firewall.yml +++ b/group_vars/stage_prodwork01/firewall.yml @@ -1,4 +1,5 @@ --- +hcloud_firewall_app_specific_stuff: False hcloud_firewall_objects: - name: "{{ stage }}-default" diff --git a/group_vars/stage_prodwork01/plain.yml b/group_vars/stage_prodwork01/plain.yml index c5f541a..674812b 100644 --- a/group_vars/stage_prodwork01/plain.yml +++ b/group_vars/stage_prodwork01/plain.yml @@ -1,7 +1,6 @@ --- stage: "prodwork01" -hcloud_firewall_app_specific_stuff: False default_plattform_users: - 'friedrich.goerz' diff --git a/templates/prometheus/config/prometheus/alert.rules.j2 b/templates/prometheus/config/prometheus/alert.rules.j2 index 4495365..273cc05 100644 --- a/templates/prometheus/config/prometheus/alert.rules.j2 +++ b/templates/prometheus/config/prometheus/alert.rules.j2 @@ -94,7 +94,7 @@ groups: expr: 100.0 - 100 * (node_filesystem_free_bytes{env="{{ stage }}",device=~"/dev/mapper/.*"} / node_filesystem_size_bytes{device!="/dev/loop1",env="{{ stage }}",device=~"/dev/mapper/.*"}) > {{ prometheus_alert_diskspaceusage_warning }} for: 10m labels: - severity: warning + severity: critical annotations: summary: "Disk Space Usage (instance {{ '{{' }} $labels.instance {{ '}}' }})" description: "Disk Space on Drive is used more than {{ prometheus_alert_diskspaceusage_warning }}%\n VALUE = {{ '{{' }} $value {{ '}}' }}\n LABELS: {{ '{{' }} $labels {{ '}}' }}"