diff --git a/group_vars/stage_prodnso/keycloak.yml b/group_vars/stage_prodnso/keycloak.yml index aa6231f..ac13b62 100644 --- a/group_vars/stage_prodnso/keycloak.yml +++ b/group_vars/stage_prodnso/keycloak.yml @@ -1,4 +1,8 @@ keycloak_https_whitelisted_ips: - 195.200.47.243/32 # DEV-230 - sparda berlin - 195.200.47.244/32 # DEV-230 - sparda berlin - - 92.42.192.157/32 # MOB-28 - mobene \ No newline at end of file + - 92.42.192.157/32 # MOB-28 - mobene + - 195.140.123.0/24 # DEV-628 - spk bautzen + - 195.140.44.0/24 # DEV-628 - spk bautzen + - 62.181.145.0/24 # DEV-628 - spk bautzen + - 62.181.146.0/24 # DEV-628 - spk bautzen diff --git a/host_vars/ext-bdev-mpmexec-02/plain.yml b/host_vars/ext-bdev-mpmexec-02/plain.yml index 1e9449a..30fc143 100644 --- a/host_vars/ext-bdev-mpmexec-02/plain.yml +++ b/host_vars/ext-bdev-mpmexec-02/plain.yml @@ -4,8 +4,8 @@ hetzner_server_labels: "stage={{ stage }} service=connect_simple tenant={{ tenan hetzner_server_type: 'cpx31' -connect_external_domain: "ext-bdev-mpmexec-connect" -keycloak_external_domain: "ext-bdev-mpmexec-keycloak" +connect_external_subdomain: "ext-bdev-mpmexec-connect" +keycloak_external_subdomain: "ext-bdev-mpmexec-keycloak" traefik_dns_01_challenge: false diff --git a/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml b/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml new file mode 100644 index 0000000..ee55221 --- /dev/null +++ b/host_vars/prodnso-spkbz-cuskfzbrief-01/plain.yml @@ -0,0 +1,50 @@ +--- + +dns: hetzner +domain: "kfzbrief-bautzen.de" +domain_env: "smardigo.digital" +traefik_letsencrypt_provider: "hetzner" + +# hetzner mail server +connect_mail_protocol: "smtp" +connect_mail_host: "mail.your-server.de" +connect_mail_port: "587" +connect_mail_user: "{{ connect_mail_user_vault }}" +connect_mail_password: "{{ connect_mail_password_vault }}" +connect_mail_properties_simulation: false +connect_mail_properties_base_url: "https://smardigo.kfzbrief-bautzen.de" +connect_mail_properties_base_url_extern: "https://smardigo.kfzbrief-bautzen.de" +connect_mail_properties_sender: "{{ connect_mail_user_vault }}" +connect_mail_properties_sender_alias: "noreply-smardigo" +connect_mail_properties_smtp_auth: true +connect_mail_properties_smtp_starttls_enable: true +connect_mail_properties_smtp_starttls_required: true + +# smardigo.fzbrief-bautzen.de +connect_external_subdomain: "smardigo" +connect_labels_additional: [ + '"traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern"', + '"traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)"', + '"traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure"', + '"traefik.http.routers.{{ connect_id }}-extern.tls=true"', + '"traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt"', + '"traefik.http.services.{{ connect_id }}-extern.loadbalancer.server.port={{ service_port }}"', +] + +server_hcloud_firewall_objects: + - + name: "customer-access-to-{{ inventory_hostname }}" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ additional_ip_adresses_vault }}" + destination_ips: [] + description: customer specific access to https services + apply_to: + - + type: server + server: + id: '{{ stage_server_id }}' diff --git a/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml b/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml new file mode 100644 index 0000000..36a9a3a --- /dev/null +++ b/host_vars/prodnso-spkbz-cuskfzbrief-01/vault.yml @@ -0,0 +1,17 @@ +$ANSIBLE_VAULT;1.1;AES256 +33623661396231316264336334366662616361383165643162333435636164376537633634353831 +6330346162656138303539323433353034376635363731640a666263336165643661633039343131 +32376432373666363639336465363835636139663963666433623266663965623063636236393135 +6163313838323639300a643236656466613463633332383033376466373362306239333034343633 +31386235326366306238373664633338303233336134333537373930663333383536343465373161 +38336666343765356463383934373939306338376465623266323735643535363339383733396364 +66373937663432663765326437376465326566303863333033643833663734613061333066663134 +30306563376536646538616361653630646463316334373634336435613537663238666235323766 +33333538326639353366363736393735306238383466653834636531623233613639393732613466 +39333266396531326166346566353533613536646637613131663462663934623363663363653163 +61336139653036373566616335396565353537366263396236306261363439623236316430633532 +37663137313437326534646230613561343435343266666665383561666365323863316464393839 +34303665623265383064313965643630613938656538363162656139613365616633346666353761 +63363864666163633661616664623937616366383138333763636135356334346337323132656538 +36316565383935363136666437393133393063636230366237303030386665373133306665623933 +62326562333931373764 diff --git a/inventory_plugins/netgo-hcloud.py b/inventory_plugins/netgo-hcloud.py index 3bfd999..0c1bd69 100644 --- a/inventory_plugins/netgo-hcloud.py +++ b/inventory_plugins/netgo-hcloud.py @@ -212,7 +212,7 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable): if networkId == privateNet["network"]: serverPrivateIp = privateNet["ip"] - display.display("server:<" + serverName + ">, stage=<" + serverStage + ">, service=<" + serverService + ">, publicIp=<" + serverPublicIp + ">, privateIp=<" + serverPrivateIp + ">, publicIngressLBIp=<" + loadbalancerPublicIp + ">, privateIngressLBIp=<" + loadbalancerPrivateIp + ">") + display.display("id: <" + str(serverId) + ">, server:<" + serverName + ">, stage=<" + serverStage + ">, service=<" + serverService + ">, publicIp=<" + serverPublicIp + ">, privateIp=<" + serverPrivateIp + ">, publicIngressLBIp=<" + loadbalancerPublicIp + ">, privateIngressLBIp=<" + loadbalancerPrivateIp + ">") self.inventory.add_group(group=serverService) self.inventory.add_group(group="stage_" + serverStage) @@ -227,6 +227,7 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable): if serverService == "kube_control_plane" or serverService == "kube_node": self.inventory.add_host(serverName, group="k8s_cluster") + self.inventory.set_variable(serverName, 'stage_server_id', serverId) self.inventory.set_variable(serverName, 'stage_server_ip', serverPublicIp) self.inventory.set_variable(serverName, 'ansible_ssh_host', serverPublicIp) self.inventory.set_variable(serverName, 'stage_private_server_ip', serverPrivateIp) diff --git a/roles/connect/tasks/main.yml b/roles/connect/tasks/main.yml index c16e992..423ac6b 100644 --- a/roles/connect/tasks/main.yml +++ b/roles/connect/tasks/main.yml @@ -4,6 +4,26 @@ ### update_certs ### update_deployment + +- name: "Setup hcloud firewalls for <{{ inventory_hostname }}>" + include_role: + name: hcloud + tasks_from: configure-firewall2 + loop: "{{ server_hcloud_firewall_objects }}" + loop_control: + loop_var: firewall_object + when: + - server_hcloud_firewall_objects is defined + +- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>" + include_role: + name: dns + vars: + record_data: "{{ stage_server_ip }}" + record_name: "{{ connect_external_subdomain }}" + when: + - connect_external_subdomain is defined + - name: "Setup DNS configuration for <{{ connect_id }}> to <{{ stage_server_ip }}>" include_role: name: dns diff --git a/roles/connect_compact/defaults/main.yml b/roles/connect_compact/defaults/main.yml index 9122680..9081743 100644 --- a/roles/connect_compact/defaults/main.yml +++ b/roles/connect_compact/defaults/main.yml @@ -32,12 +32,12 @@ current_realm_clients: [ root_url: '', redirect_uris: [ "{{ http_s }}://{{ connect_base_url }}/*", - "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}/*", + "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}/*", ], secret: '{{ connect_client_id }}', web_origins: [ "{{ http_s }}://{{ connect_base_url }}", - "{{ http_s }}://{{ connect_external_domain }}.{{ domain }}", + "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}", ] },{ name: 'mpm', diff --git a/roles/connect_compact/tasks/main.yml b/roles/connect_compact/tasks/main.yml index d25f209..80a515d 100644 --- a/roles/connect_compact/tasks/main.yml +++ b/roles/connect_compact/tasks/main.yml @@ -7,13 +7,13 @@ record_data: "{{ stage_server_ip }}" record_name: "{{ connect_id }}" -- name: "Setup DNS configuration for <{{ connect_external_domain }}> to <{{ stage_server_ip }}>" +- name: "Setup DNS configuration for <{{ connect_external_subdomain }}> to <{{ stage_server_ip }}>" include_role: name: dns vars: record_data: "{{ stage_server_ip }}" - record_name: "{{ connect_external_domain }}" - when: connect_external_domain is defined + record_name: "{{ connect_external_subdomain }}" + when: connect_external_subdomain is defined - name: "Setup realm for {{ connect_id }}" include_role: diff --git a/roles/connect_realm/defaults/main.yml b/roles/connect_realm/defaults/main.yml index 627a072..2ecf841 100644 --- a/roles/connect_realm/defaults/main.yml +++ b/roles/connect_realm/defaults/main.yml @@ -3,21 +3,27 @@ connect_client_admin_password: "C0nnect-Admin!" connect_realm_admin_password: "C0nnect-Realm-Admin!" +client_web_origin_connect: "{{ http_s }}://{{ connect_base_url }}" +client_web_origin_wordpress: "{{ http_s }}://{{ wordpress_base_url }}" +client_web_origin_connect_external: "{{ http_s }}://{{ connect_external_subdomain }}.{{ domain }}" + current_realm_clients: [ { - name: '{{ connect_client_id }}', + name: "{{ connect_client_id }}", clientId: "{{ connect_client_id }}", - admin_url: '', - root_url: '', - redirect_uris: [ - "{{ http_s }}://{{ connect_base_url }}/*", - "{{ http_s }}://{{ wordpress_base_url }}/*", - ], + admin_url: "", + root_url: "", + redirect_uris: "{{ + [client_web_origin_connect + '/*'] + + ([client_web_origin_wordpress + '/*'] if 'connect_wordpress' in groups else []) + + ([client_web_origin_connect_external + '/*'] if connect_external_subdomain is defined else []) + }}", secret: '{{ connect_client_id }}', - web_origins: [ - "{{ http_s }}://{{ connect_base_url }}", - "{{ http_s }}://{{ wordpress_base_url }}", - ] + web_origins: "{{ + [client_web_origin_connect] + + ([client_web_origin_wordpress] if 'connect_wordpress' in groups else []) + + ([client_web_origin_connect_external] if connect_external_subdomain is defined else []) + }}", } ] diff --git a/roles/keycloak_compact/tasks/main.yml b/roles/keycloak_compact/tasks/main.yml index 4a09a43..850b06d 100644 --- a/roles/keycloak_compact/tasks/main.yml +++ b/roles/keycloak_compact/tasks/main.yml @@ -10,13 +10,13 @@ record_data: "{{ stage_server_ip }}" record_name: "{{ keycloak_id }}" -- name: "Setup DNS configuration for <{{ keycloak_external_domain }}> to <{{ stage_server_ip }}>" +- name: "Setup DNS configuration for <{{ keycloak_external_subdomain }}> to <{{ stage_server_ip }}>" include_role: name: dns vars: record_data: "{{ stage_server_ip }}" - record_name: "{{ keycloak_external_domain }}" - when: keycloak_external_domain is defined + record_name: "{{ keycloak_external_subdomain }}" + when: keycloak_external_subdomain is defined - name: "Check if {{ keycloak_id }}/docker-compose.yml exists" stat: diff --git a/tasks/autodiscover_pre_tasks.yml b/tasks/autodiscover_pre_tasks.yml index b15dae9..c84095c 100644 --- a/tasks/autodiscover_pre_tasks.yml +++ b/tasks/autodiscover_pre_tasks.yml @@ -103,7 +103,7 @@ {% if server.labels.manual is not defined %}\ {% for private_net in server.private_net %}\ {% if private_net.network == stage_private_network_id|int %}\ - {{ list.append({'service': server.labels.service, 'private_ip': private_net.ip, 'public_ip': server.public_net.ipv4.ip, 'name': server.name}) }}\ + {{ list.append({'service': server.labels.service, 'private_ip': private_net.ip, 'public_ip': server.public_net.ipv4.ip, 'name': server.name, 'id': server.id}) }}\ {% endif %}\ {% endfor %}\ {% endif %}\ @@ -122,33 +122,36 @@ when: - debug -- name: "Reading private ip address for {{ inventory_hostname }}" +- name: "Reading server id for {{ inventory_hostname }}" set_fact: - stage_private_server_ip: "{% for server in hetzner_servers %}\ - {% if server.name == inventory_hostname %}\ - {% for private_net in server.private_net %}\ - {% if private_net.network == stage_private_network_id|int %}\ - {{ private_net.ip }}\ - {% endif %}\ - {% endfor %}\ - {% endif %}\ - {% endfor %}" + stage_server_id: "{{ stage_server_infos | json_query(querystr) | first | default('') }}" + vars: + querystr: "[?name=='{{ inventory_hostname }}'].id" delegate_to: 127.0.0.1 tags: - always - name: "Reading public ip address for {{ inventory_hostname }}" set_fact: - stage_server_ip: "{{ hetzner_servers | json_query(querystr) | first | default('') }}" + stage_server_ip: "{{ stage_server_infos | json_query(querystr) | first | default('') }}" + vars: + querystr: "[?name=='{{ inventory_hostname }}'].public_ip" + delegate_to: 127.0.0.1 + tags: + - always + +- name: "Reading private ip address for {{ inventory_hostname }}" + set_fact: + stage_private_server_ip: "{{ stage_server_infos | json_query(querystr) | first | default('') }}" vars: - querystr: "[?name=='{{ inventory_hostname }}'].public_net.ipv4.ip" + querystr: "[?name=='{{ inventory_hostname }}'].private_ip" delegate_to: 127.0.0.1 tags: - always - name: "Printing ip addresses for {{ inventory_hostname }}" debug: - msg: "{{ stage_server_ip }} / {{ stage_private_server_ip }}" + msg: "{{ stage_server_id }} / {{ stage_server_ip }} / {{ stage_private_server_ip }}" delegate_to: 127.0.0.1 tags: - always diff --git a/templates/connect-compact/config/application-linked-applications.yml.j2 b/templates/connect-compact/config/application-linked-applications.yml.j2 index 07628fb..6df8166 100644 --- a/templates/connect-compact/config/application-linked-applications.yml.j2 +++ b/templates/connect-compact/config/application-linked-applications.yml.j2 @@ -2,10 +2,10 @@ smardigo: linked-applications: - name: Password Change - url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password + url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password - name: User Management - url: https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console + url: https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console - name: MPM Process Mining url: https://mehrwerk-demo.eu.qlikcloud.com \ No newline at end of file diff --git a/templates/connect-compact/docker-compose.yml.j2 b/templates/connect-compact/docker-compose.yml.j2 index 53fcd1b..153ab03 100644 --- a/templates/connect-compact/docker-compose.yml.j2 +++ b/templates/connect-compact/docker-compose.yml.j2 @@ -24,10 +24,10 @@ services: - "traefik.http.routers.{{ connect_id }}.tls.certresolver=letsencrypt-http" - "traefik.http.services.{{ connect_id }}.loadbalancer.server.port=8080" {% if - connect_external_domain is defined + connect_external_subdomain is defined %} - "traefik.http.routers.{{ connect_id }}-extern.service={{ connect_id }}-extern" - - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_domain }}.{{ domain }}`)" + - "traefik.http.routers.{{ connect_id }}-extern.rule=Host(`{{ connect_external_subdomain }}.{{ domain }}`)" - "traefik.http.routers.{{ connect_id }}-extern.entrypoints=websecure" - "traefik.http.routers.{{ connect_id }}-extern.tls=true" - "traefik.http.routers.{{ connect_id }}-extern.tls.certresolver=letsencrypt-http" @@ -62,9 +62,9 @@ services: OIDC_CLIENT_ID: "{{ connect_id }}" OIDC_CLIENT_SECRET: "{{ connect_id }}" OIDC_REGISTRATION_ID: "{{ connect_id }}" - OIDC_ISSUER_URI: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}" - PASSWORD_CHANGE_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password" - USER_MANAGEMENT_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console" + OIDC_ISSUER_URI: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}" + PASSWORD_CHANGE_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/realms/{{ current_realm_name }}/account/password" + USER_MANAGEMENT_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth/admin/{{ current_realm_name }}/console" IAM_MODULE: "external" IAM_CLIENT_ENABLED: "true" @@ -141,7 +141,7 @@ services: restart: always environment: SERVER_ERROR_INCLUDE_MESSAGE: "always" - IAM_KEYCLOAK_AUTH_SERVER_URL: "https://{{ keycloak_external_domain }}.{{ domain }}/auth" + IAM_KEYCLOAK_AUTH_SERVER_URL: "https://{{ keycloak_external_subdomain }}.{{ domain }}/auth" IAM_KEYCLOAK_ADMIN_USER: "{{ keycloak_admin_username }}" IAM_KEYCLOAK_ADMIN_PASSWORD: "{{ keycloak_admin_password }}" IAM_JWT_CONFIG_READ_TIMEOUT: 3000 diff --git a/templates/keycloak-compact/docker-compose.yml.j2 b/templates/keycloak-compact/docker-compose.yml.j2 index 0db02b1..01acc2b 100644 --- a/templates/keycloak-compact/docker-compose.yml.j2 +++ b/templates/keycloak-compact/docker-compose.yml.j2 @@ -23,10 +23,10 @@ services: - "traefik.http.routers.{{ keycloak_id }}.tls.certresolver=letsencrypt-http" - "traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port=8080" {% if - keycloak_external_domain is defined + keycloak_external_subdomain is defined %} - "traefik.http.routers.{{ keycloak_id }}-extern.service={{ keycloak_id }}-extern" - - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_domain }}.smardigo.digital`)" + - "traefik.http.routers.{{ keycloak_id }}-extern.rule=Host(`{{ keycloak_external_subdomain }}.smardigo.digital`)" - "traefik.http.routers.{{ keycloak_id }}-extern.entrypoints=websecure" - "traefik.http.routers.{{ keycloak_id }}-extern.tls=true" - "traefik.http.routers.{{ keycloak_id }}-extern.tls.certresolver=letsencrypt-http"