DEV-1161 added cockpit vm to demostage

group_vars/stage_demompmx/firewall.yml

@@ -140,4 +140,31 @@ hcloud_firewall_objects_keycloak:
      -
        type: label_selector
        label_selector:
-         selector: 'stage={{ stage }},service=keycloak'
+         selector: 'stage={{ stage }},service=keycloak'
+
+hcloud_firewall_objects_cockpit:
+   -
+     name: "{{ stage }}-access-to-cockpit"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: 
+          - '0.0.0.0/0'
+        destination_ips: []
+        description: "Whitelisting ALL(also from UNTRUST) incoming HTTPS traffic for cockpit-instance(s))"
+     -
+        direction: in
+        protocol: tcp
+        port: '80'
+        source_ips: 
+          - '0.0.0.0/0'
+        destination_ips: []
+        description: "Whitelisting ALL(also from UNTRUST) incoming HTTPS traffic for cockpit-instance(s))"
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }},service=cockpit'

hcloud_firewall.yml

@@ -131,5 +131,14 @@
         loop: "{{ hcloud_firewall_objects_management }}"
         loop_control:
           loop_var: firewall_object
+      
+      - name: "Setup hcloud firewalls for cockpit..."
+        include_role:
+          name: hetzner-ansible-hcloud
+          tasks_from: configure-firewall2
+        loop: "{{ hcloud_firewall_objects_cockpit }}"
+        loop_control:
+          loop_var: firewall_object
+        when: stage == 'demompmx'
       # end of BLOCK
       when: hcloud_firewall_app_specific_stuff | default(True)

host_vars/demompmx-cockpit-01/plain.yml

@@ -0,0 +1,6 @@
+---
+hetzner_server_type: cpx21
+hetzner_server_labels: "stage={{ stage }} service=cockpit"
+
+custom_stage_platform_users:
+  - 'paul.zinke'

roles/nginx/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+
+
+nginx_image: "nginx"

roles/nginx/files/nginx.conf

@@ -0,0 +1,15 @@
+server {
+    listen 80;
+    server_name localhost;
+
+    location / {
+        root /usr/share/nginx/html;
+        index index.html index.htm;
+        try_files $uri $uri/ /index.html;
+    }
+
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+}

roles/nginx/tasks/main.yml

@@ -0,0 +1,67 @@
+- name: "Setup DNS configuration for {{ inventory_hostname }}"
+  include_role:
+    name: hetzner-ansible-dns
+  vars:
+    record_data: "{{ stage_server_ip }}"
+    record_name: "{{ inventory_hostname }}"
+
+
+- name: Create a directory dist if it does not exist
+  ansible.builtin.file:
+    path: "{{ service_base_path }}/{{ inventory_hostname }}/dist"
+    state: directory
+    mode: '0777'
+
+- name: Create a directory conf if it does not exist
+  ansible.builtin.file:
+    path: "{{ service_base_path }}/{{ inventory_hostname }}/conf"
+    state: directory
+    mode: '0755'
+
+- name: "Providing nginx.conf"
+  become: yes
+  copy:
+    src: '{{ item }}'
+    dest: '{{ service_base_path }}/{{ inventory_hostname }}/conf'
+    mode: '0755'
+  with_items:
+    - nginx.conf
+
+
+- name: "Check if {{ inventory_hostname }}/docker-compose.yml exists"
+  stat:
+    path: '{{ service_base_path }}/{{ inventory_hostname }}/docker-compose.yml'
+  register: check_docker_compose_file
+  tags:
+    - update_deployment
+
+- name: "Stop {{ inventory_hostname }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ inventory_hostname }}'
+    state: absent
+  when: check_docker_compose_file.stat.exists
+  tags:
+    - update_deployment
+
+- name: "Deploy docker templates for {{ inventory_hostname }}"
+  include_role:
+    name: hetzner-ansible-sma-deploy
+    tasks_from: templates
+  vars:
+    current_config: "_docker"
+    current_base_path: "{{ service_base_path }}"
+    current_destination: "{{ inventory_hostname }}"
+    current_owner: "{{ docker_owner }}"
+    current_group: "{{ docker_group }}"
+    current_docker: "{{ nginx_docker }}"
+  tags:
+    - update_deployment
+
+
+- name: "Start {{ inventory_hostname }}"
+  community.docker.docker_compose:
+    project_src: '{{ service_base_path }}/{{ inventory_hostname }}'
+    state: present
+    pull: yes
+  tags:
+    - update_deployment

roles/nginx/vars/main.yml

@@ -0,0 +1,37 @@
+---
+
+nginx_id: "{{ inventory_hostname }}-nginx"
+
+nginx_labels: [
+  '"traefik.enable=true"',
+  '"traefik.http.routers.{{ nginx_id }}.service={{ nginx_id }}"',
+  '"traefik.http.routers.{{ nginx_id }}.rule=Host(`{{ stage_server_domain }}`)"',
+  '"traefik.http.routers.{{ nginx_id }}.entrypoints=websecure"',
+  '"traefik.http.routers.{{ nginx_id }}.tls=true"',
+  '"traefik.http.routers.{{ nginx_id }}.tls.certresolver=letsencrypt"',
+  '"traefik.http.services.{{ nginx_id }}.loadbalancer.server.port={{ http_port }}"',
+]
+
+nginx_docker: {
+  networks: [
+    {
+      name: front-tier,
+      external: true,
+    },
+  ],
+  services: [
+    {
+      name: "{{ nginx_id }}",
+      image_name: "{{ nginx_image }}",
+      image_version: alpine,
+      labels: "{{ nginx_labels }}",
+      volumes: [
+        "{{ service_base_path }}/{{ inventory_hostname }}/dist:/usr/share/nginx/html",
+        "{{ service_base_path }}/{{ inventory_hostname }}/conf/nginx.conf:/etc/nginx/conf.d/default.conf"
+      ],
+      networks: [
+        '"front-tier"',
+      ],
+    }
+  ],
+}

smardigo.yml

@@ -75,3 +75,6 @@
 
     - role: mpmx
       when: "'mpmx' in group_names"
+
+    - role: nginx
+      when: "'nginx' in group_names"

stage-demompmx

@@ -29,6 +29,9 @@ demompmx-management-01
 [maria]
 demompmx-maria-01
 
+[nginx]
+demompmx-cockpit-01
+
 [pgadmin4]
 demompmx-pgadmin4-01
 
@@ -85,6 +88,7 @@ kibana
 logstash
 management
 maria
+nginx
 pgadmin4
 postfix
 postgres

users/paul.zinke/ssh.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClbMV7J5W6F9rAo5h7m04Og8TclBsshZfIOgBPu7V9p nso\paul.zinke@NSO-NB01576