diff --git a/group_vars/all/firewall.yml b/group_vars/all/firewall.yml new file mode 100644 index 0000000..1d5e6c9 --- /dev/null +++ b/group_vars/all/firewall.yml @@ -0,0 +1,202 @@ +--- +hcloud_firewall_objects: + - + name: "{{ stage }}-default" + state: present + rules: + - + direction: in + protocol: icmp + port: '' + source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' + destination_ips: [] + description: ICMP allowed + - + direction: in + protocol: tcp + port: '22' + source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' + destination_ips: [] + description: SSH allowed + - + direction: in + protocol: tcp + port: '80' + source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' + destination_ips: [] + description: HTTP allowed + - + direction: in + protocol: tcp + port: '443' + source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' + destination_ips: [] + description: HTTPS allowed + - + direction: in + protocol: tcp + port: 'any' + source_ips: '{{ ip_whitelist_admins }}' + destination_ips: [] + description: TCP - allow work from home without VPN + - + direction: in + protocol: udp + port: 'any' + source_ips: '{{ ip_whitelist_admins }}' + destination_ips: [] + description: UDP - allow work from home without VPN + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }}' + - + name: "{{ stage }}-monitoring" + state: present + rules: + - + direction: in + protocol: tcp + port: '9080-9085' + source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' + destination_ips: [] + description: 'Server/Service Monitoring' + - + direction: in + protocol: tcp + port: '9001' + source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' + destination_ips: [] + description: 'PgAdmin' + - + direction: in + protocol: tcp + port: '9187' + source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' + destination_ips: [] + description: 'Postgres-Exporter' + - + direction: in + protocol: tcp + port: '80' + source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' + destination_ips: [] + description: 'AWX' + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }}' + - + name: "{{ stage }}-monitoring-extern-https" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: + - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32" + destination_ips: [] + description: null + apply_to: + - + type: label_selector + label_selector: + selector: 'service=connect' + - + type: label_selector + label_selector: + selector: 'service=keycloak' + +hcloud_firewall_objects_awx: + - + name: "{{ stage }}-awx-ssh-access-for-k8s-nodes" + state: present + rules: + - + direction: in + protocol: tcp + port: '22' + source_ips: "{{ src_ips }}" + destination_ips: [] + description: null + apply_to: + - + type: label_selector + label_selector: + selector: 'stage={{ stage }}' + - + name: "{{ stage }}-awx-access-SMA-mgmt-instance" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ src_ips }}" + destination_ips: [] + description: null + apply_to: + - + type: label_selector + label_selector: + selector: 'service=connect,tenant=management' + - + name: "{{ stage }}-awx-access-443-SMA-peripheral-instances" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ src_ips }}" + destination_ips: [] + description: null + apply_to: + - + type: label_selector + label_selector: + selector: 'service=gitea' + - + type: label_selector + label_selector: + selector: 'service=kibana' + +hcloud_firewall_objects_backup: + - + name: "{{ stage }}-backup-ssh-access" + state: present + rules: + - + direction: in + protocol: tcp + port: '22' + source_ips: + - "{{ offsite_storage_server_ip }}" + destination_ips: [] + description: null + apply_to: + - + type: label_selector + label_selector: + selector: 'service=backup' + +hcloud_firewall_objects_keycloak: + - + name: "{{ stage }}-access-to-keycloak" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ ip_whitelist + (keycloak_https_whitelisted_ips | default([])) }}" + destination_ips: [] + description: null + apply_to: + - + type: label_selector + label_selector: + selector: 'service=keycloak' diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index f51a81d..8201f5e 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -200,117 +200,6 @@ kubernetes_prometheus_endpoint: "{{ stage }}-kube-prometheus.{{ domain }}" get_current_date: "{{ lookup('pipe','date +%Y-%m-%d') }}" get_current_date_time: "{{ lookup('pipe','date +%Y-%m-%d_%H:%M') }}" -hcloud_firewall_objects: - - - name: "{{ stage }}-default" - state: present - rules: - - - direction: in - protocol: icmp - port: '' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: ICMP allowed - - - direction: in - protocol: tcp - port: '22' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: SSH allowed - - - direction: in - protocol: tcp - port: '80' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: HTTP allowed - - - direction: in - protocol: tcp - port: '443' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: HTTPS allowed - - - direction: in - protocol: tcp - port: 'any' - source_ips: '{{ ip_whitelist_admins }}' - destination_ips: [] - description: TCP - allow work from home without VPN - - - direction: in - protocol: udp - port: 'any' - source_ips: '{{ ip_whitelist_admins }}' - destination_ips: [] - description: UDP - allow work from home without VPN - apply_to: - - - type: label_selector - label_selector: - selector: 'stage={{ stage }}' - - - name: "{{ stage }}-monitoring" - state: present - rules: - - - direction: in - protocol: tcp - port: '9080-9085' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: 'Server/Service Monitoring' - - - direction: in - protocol: tcp - port: '9001' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: 'PgAdmin' - - - direction: in - protocol: tcp - port: '9187' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: 'Postgres-Exporter' - - - direction: in - protocol: tcp - port: '80' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: 'AWX' - apply_to: - - - type: label_selector - label_selector: - selector: 'stage={{ stage }}' - - - name: "{{ stage }}-monitoring-extern-https" - state: present - rules: - - - direction: in - protocol: tcp - port: '443' - source_ips: - - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32" - destination_ips: [] - description: null - apply_to: - - - type: label_selector - label_selector: - selector: 'service=connect' - - - type: label_selector - label_selector: - selector: 'service=keycloak' - hetzner_authentication_ansible: "{{ hetzner_authentication_ansible_vault }}" hetzner_authentication_ccm: "{{ hetzner_authentication_ccm_vault }}" hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}" @@ -318,80 +207,3 @@ hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}" k8s_basic_services: - kubelet - containerd - -hcloud_firewall_objects_awx: - - - name: "{{ stage }}-awx-ssh-access-for-k8s-nodes" - state: present - rules: - - - direction: in - protocol: tcp - port: '22' - source_ips: "{{ src_ips }}" - destination_ips: [] - description: null - apply_to: - - - type: label_selector - label_selector: - selector: 'stage={{ stage }}' - - - name: "{{ stage }}-awx-access-SMA-mgmt-instance" - state: present - rules: - - - direction: in - protocol: tcp - port: '443' - source_ips: "{{ src_ips }}" - destination_ips: [] - description: null - apply_to: - - - type: label_selector - label_selector: - selector: 'service=connect,tenant=management' - - - name: "{{ stage }}-awx-access-443-SMA-peripheral-instances" - state: present - rules: - - - direction: in - protocol: tcp - port: '443' - source_ips: "{{ src_ips }}" - destination_ips: [] - description: null - apply_to: - - - type: label_selector - label_selector: - selector: 'service=gitea' - - - type: label_selector - label_selector: - selector: 'service=keycloak' - - - type: label_selector - label_selector: - selector: 'service=kibana' - -hcloud_firewall_objects_backup: - - - name: "{{ stage }}-backup-ssh-access" - state: present - rules: - - - direction: in - protocol: tcp - port: '22' - source_ips: - - "{{ offsite_storage_server_ip }}" - destination_ips: [] - description: null - apply_to: - - - type: label_selector - label_selector: - selector: 'service=backup' diff --git a/group_vars/stage_prodnso/keycloak.yml b/group_vars/stage_prodnso/keycloak.yml new file mode 100644 index 0000000..3e3844a --- /dev/null +++ b/group_vars/stage_prodnso/keycloak.yml @@ -0,0 +1,3 @@ +keycloak_https_whitelisted_ips: + - 92.42.192.157/32 + - 80.128.167.83/32 \ No newline at end of file diff --git a/hcloud_firewall.yml b/hcloud_firewall.yml index bd2ee5c..e91c7f3 100644 --- a/hcloud_firewall.yml +++ b/hcloud_firewall.yml @@ -88,3 +88,11 @@ loop: "{{ hcloud_firewall_objects_backup }}" loop_control: loop_var: firewall_object + + - name: "Setup hcloud firewalls for keycloak" + include_role: + name: hcloud + tasks_from: configure-firewall2 + loop: "{{ hcloud_firewall_objects_keycloak }}" + loop_control: + loop_var: firewall_object