diff --git a/roles/_digitalocean/tasks/domain.yml b/roles/_digitalocean/tasks/domain.yml index 13515e4..75d7ba0 100644 --- a/roles/_digitalocean/tasks/domain.yml +++ b/roles/_digitalocean/tasks/domain.yml @@ -16,7 +16,7 @@ - name: Parse DNS entry for {{ record_name }}.{{ domain }} set_fact: - domain_record: "{{ domain_records_response_json.domain_records | json_query(jmesquery) | first | default({'name': '-', 'ip': '-'}) }}" + domain_record: "{{ domain_records_response_json.domain_records | json_query(jmesquery) | first | default({'name': '-', 'ip': '-'}) }}" vars: jmesquery: '[*].{id: id, name: name, ip: data}' diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index d6bfbc3..476e685 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -180,8 +180,9 @@ - name: sshd configuration file update template: src: 'configs/sshd/sshd_config.j2' - dest: '/etc/ssh/sshd_config' - backup: yes + dest: '/etc/ssh/sshd_config.new' + owner: 'root' + group: 'root' mode: 0644 notify: - restart ssh diff --git a/roles/hcloud/tasks/main.yml b/roles/hcloud/tasks/main.yml index 5ec5ded..260762b 100644 --- a/roles/hcloud/tasks/main.yml +++ b/roles/hcloud/tasks/main.yml @@ -2,6 +2,58 @@ ### tags: +- name: Get all Firewalls from Hetzner + uri: + url: "https://api.hetzner.cloud/v1/firewalls" + headers: + accept: application/json + authorization: Bearer {{ hetzner_authentication_token }} + return_content: yes + register: hetzner_firewalls_response + delegate_to: 127.0.0.1 + +- name: Save firewall entries as variable (fact) + set_fact: + hetzner_firewalls_response_json: "{{ hetzner_firewalls_response.json }}" + +- name: Parse firewall entry for default + set_fact: + firewall_record: "{{ hetzner_firewalls_response_json.firewalls | json_query(jmesquery) | first | default({'name': '-', 'id': '-'}) }}" + vars: + jmesquery: '[*].{id: id, name: name}' + +- name: Print firewall entry for default + debug: + msg: "{{ firewall_record }}" + +- name: Save firewall entry default + uri: + method: POST + url: "https://api.hetzner.cloud/v1/firewalls" + body_format: json + body: "{{ lookup('template','firewall-default.json.j2') }}" + headers: + accept: application/json + authorization: Bearer {{ hetzner_authentication_token }} + return_content: yes + status_code: 201 + when: firewall_record.id == '-' + delegate_to: 127.0.0.1 + +- name: Update firewall entry default + uri: + method: PUT + url: "https://api.hetzner.cloud/v1/firewalls/{{ firewall_record.id }}" + body_format: json + body: "{{ lookup('template','firewall-default.json.j2') }}" + headers: + accept: application/json + authorization: Bearer {{ hetzner_authentication_token }} + return_content: yes + status_code: 200 + when: firewall_record.id != '-' + delegate_to: 127.0.0.1 + - name: Create new server {{ inventory_hostname }} hetzner.hcloud.hcloud_server: api_token: "{{ hetzner_authentication_token }}" @@ -9,28 +61,10 @@ server_type: "{{ hetzner_server_type }}" image: "{{ hetzner_server_image }}" ssh_keys: "{{ hetzner_ssh_keys }}" + location: nbg1 state: present delegate_to: 127.0.0.1 -#- name: Create management network and server {{ inventory_hostname }} -# hetzner.hcloud.hcloud_server_network: -# api_token: "{{ hetzner_authentication_token }}" -# network: "management" -# server: "{{ inventory_hostname }}" -# state: present -# delegate_to: 127.0.0.1 - -#- hetzner.hcloud.hcloud_firewall: -# api_token: "{{ hetzner_authentication_token }}" -# name: "{{ inventory_hostname }}" -# rules: -# - direction: in -# protocol: icmp -# source_ips: -# - 212.121.131.106/0 -# state: present -# delegate_to: 127.0.0.1 - - name: Gather current server infos hcloud_server_info: api_token: "{{ hetzner_authentication_token }}" diff --git a/roles/hcloud/templates/firewall-default.json.j2 b/roles/hcloud/templates/firewall-default.json.j2 new file mode 100644 index 0000000..53ab8b8 --- /dev/null +++ b/roles/hcloud/templates/firewall-default.json.j2 @@ -0,0 +1,64 @@ +{ + "name": "default", + "labels": { + }, + "rules": [ + { + "direction": "in", + "protocol": "icmp", + "port": null, + "source_ips": [ + "0.0.0.0/0", + "::/0" + ], + "destination_ips": [ + ] + }, + { + "direction": "in", + "protocol": "tcp", + "port": "22", + "source_ips": [ + "212.121.131.106/32", + "5.9.148.23/32" + ], + "destination_ips": [ + ] + }, + { + "direction": "in", + "protocol": "tcp", + "port": "80", + "source_ips": [ + "0.0.0.0/0", + "::/0" + ], + "destination_ips": [ + ] + }, + { + "direction": "in", + "protocol": "tcp", + "port": "443", + "source_ips": [ + "0.0.0.0/0", + "::/0" + ], + "destination_ips": [ + ] + }, + { + "direction": "in", + "protocol": "tcp", + "port": "9080-9085", + "source_ips": [ + "212.121.131.106/32", + "5.9.148.23/32" + ], + "destination_ips": [ + ] + } + ], + "applied_to": [ + ] +} diff --git a/roles/hetzner-state/tasks/main.yml b/roles/hetzner-state/tasks/main.yml index df11951..1b8b080 100644 --- a/roles/hetzner-state/tasks/main.yml +++ b/roles/hetzner-state/tasks/main.yml @@ -5,6 +5,7 @@ - name: Ensure the server {{ inventory_hostname }} is {{ hetzner_state }} hcloud_server: api_token: "{{ hetzner_authentication_token }}" + image: "{{ hetzner_server_image }}" name: "{{ inventory_hostname }}" state: "{{ hetzner_state }}" delegate_to: 127.0.0.1 diff --git a/stage-dev b/stage-dev index 7dae428..80b4429 100644 --- a/stage-dev +++ b/stage-dev @@ -2,9 +2,7 @@ dev-elastic-stack-01 dev-elastic-stack-02 dev-elastic-stack-03 -dev-prometheus-01 - -[prometheus] +dev-docker-registry-01 dev-prometheus-01 [stage_dev:children]