--- debug: false ssh_macs: - umac-128-etm@openssh.com - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com ssh_host_key_algorithms: - rsa-sha2-512 - rsa-sha2-256 - ssh-ed25519 ssh_kex: - curve25519-sha256 - curve25519-sha256@libssh.org - diffie-hellman-group-exchange-sha256 - diffie-hellman-group16-sha512 - diffie-hellman-group18-sha512 - diffie-hellman-group14-sha256 ssh_ciphers: - chacha20-poly1305@openssh.com - aes128-ctr - aes192-ctr - aes256-ctr - aes128-gcm@openssh.com - aes256-gcm@openssh.com ssh_permit_root_login: 'yes' docker_enabled: true docker_config_enabled: true traefik_enabled: true filebeat_enabled: true metricbeat_enabled: false node_exporter_enabled: true common_apt_dependencies: - mc - vim # TODO Check if we really want this - zip - curl - htop - net-tools - bash-completion - python3-pip common_pip_dependencies: - docker-compose use_ssl: true http_s: "http{{ use_ssl | ternary('s', '', omit) }}" domain: "smardigo.digital" stage_server_domain: "{{ inventory_hostname }}.{{ domain }}" stage_server_url: "{{ http_s }}://{{ stage_server_domain }}" alertmanager_channel_smardigo: "#monitoring-{{ stage }}" hetzner_server_type: cx11 hetzner_server_image: ubuntu-20.04 awx_ansible_user_name: "awx" awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}" awx_credential_machine_hetzner_name: hetzner-ansible-ssh gitlab_ansible_user_name: "gitlabci" # used for root-access by hetzner on server creation (@see cloud console/security/ssh-keys) hetzner_ssh_keys: - "claus.paetow@netgo.de" - "friedrich.goerz@netgo.de" - "peter.heise@netgo.de" - "sven.ketelsen@netgo.de" - "{{ awx_ansible_user_name }}@netgo.de" - "{{ gitlab_ansible_user_name }}@netgo.de" hetzner_server_labels: "stage={{ stage }}" admin_user: "root" sudo_groups: [ { id: "CentOS", sudo_group: "wheel", }, { id: "RedHat", sudo_group: "wheel", }, { id: "Ubuntu", sudo_group: "sudo", }, ] sudo_group: "{{ sudo_groups | selectattr('id', 'match', '' + ansible_distribution + '' ) | map(attribute='sudo_group') | list | first | replace('.','-') }}" # whitelist for outdated user detection - they wont't be deleted at all default_plattform_users: - 'nobody' - 'elastic' - 'postgres' - 'administrator' - '{{ admin_user }}' - '{{ backupuser_username }}' smardigo_plattform_users: - 'claus.paetow' - 'friedrich.goerz' - 'peter.heise' - 'sven.ketelsen' - '{{ awx_ansible_user_name }}' - '{{ gitlab_ansible_user_name }}' ip_whitelist_admins: - "79.215.10.239/32" # sven - "212.86.56.112/32" # peter ip_whitelist: - "212.121.131.106/32" # netgo berlin - "149.233.6.129/32" # netgo e-shelter - "46.245.219.98/32" # netgo borken - "{{ shared_service_network }}" # for test purpose DEV-361 # currently (2022.03.18) set to IP of hetzner VM gitlab_storage_server: 167.235.18.147/32 docker_owner: "{{ admin_user }}" docker_group: "{{ admin_user }}" docker_users: "{{ smardigo_plattform_users }}" docker_compose_version: "1.29.2" docker_compose_path: "/usr/bin/docker-compose" service_base_path: '/etc/smardigo' gitea_admin_email: "nso.devops@netgo.de" lets_encrypt_email: "nso.devops@netgo.de" connect_admin_email: "nso.devops@netgo.de" keycloak_admin_email: "nso.devops@netgo.de" pgadmin4_admin_email: "nso.devops@netgo.de" harbor_oidc_admin_email: "nso.devops@netgo.de" http_port: "80" https_port: "443" service_port: "8080" management_port: "8081" service_port_mssql: "1433" service_port_git: "2222" service_port_mysql: "3306" service_port_logstash: "5044" service_port_postgres: "5432" service_port_kibana: "5601" service_port_cadvisor: "8080" service_port_webdav: "8080" service_port_keycloak: "8080" service_port_iam: "8082" service_port_sonarqube: "9000" service_port_pgadmin: "9001" service_port_phpmyadmin: "9002" service_port_node_exporter: "9100" service_port_elasticsearch: "9200" monitor_port_system: "9082" monitor_port_docker: "9083" monitor_port_elastic: "9084" monitor_port_harbor: "9085" monitor_port_maria: "9086" monitor_port_postgres: "9087" admin_port_service: "9081" admin_port_traefik: "9080" connect_id: "{{ inventory_hostname }}-connect" connect_base_url: "{{ connect_id }}.{{ domain }}" wordpress_id: "{{ inventory_hostname }}-wordpress" wordpress_base_url: "{{ wordpress_id }}.{{ domain }}" smardigo_auth_token_name: "Smardigo-User-Token" filebeat_certificate: "{{ stage }}-elastic-stack-filebeat" logstash_certificate: "{{ stage }}-elastic-stack-logstash-01" backup_directory: "/backups" blackbox_exporter_fqdn: "dev-blackbox-01.{{ domain }}" blackbox_http_2xx_targets: - 'https://{{ stage }}-keycloak-01.smardigo.digital/auth/' #- 'https://{{ stage }}-management-01-connect.smardigo.digital/' blackbox_http_2xx_additional_targets: [] prometheus_federation_enabled: true kubernetes_prometheus_endpoint: "{{ stage }}-kube-prometheus.{{ domain }}" backupuser_username: backupuser backupuser_ssh_pubkey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDAFRYAy3PqimYUWcO4Q9pdTvDQTsq7hKjWYoQEsJICnRRv+W+5d2lJvC3gqMpmWy9XxtrYePkVHCgIvfJSas9Jv7n7eeYoeWLWJq0nRSKg6EKFCH9y3v8tGPJQQf7wogOhHwr6m79c+lpNVUsVR+QOf76+47ZuwnuEBzK6xbDkmwyt7SPrJ59IFxOlmtz2HgVlTLczLalMygM4qlXqIt+lwuuFz4CsGcr4TwMKp9Uk6SCP3OV12oLnUUUOA3r72qmE4+JeUN6VNbXoBXEANfXm5kbM8w+dFhulCi1fQZCssB8PStA7Cs0gVqL6DYNUKRZaFL8e77hljGkPlOQDxOsBexPuceSDmmr6s5qT1wA6bnEFoeWbLlxixGlFA+1Q/LqWsYzoOZiTHDoaXvsc4VizlPp4Fn0OgJefPjuzBsWOyf0ob5oucfnmCAvEh/k+ioq0bIQDcliAM1UezitblHQgGHhqnKPMi664i0ULLiExARe4IV3KJiaG++RJyzUL5HNz3Qru+K5/pdj2jffluYTC4w+6ZYfjWEZS/DAumExv9T97kFOsapHCQJwTBa368Ch6uKkPCZO8p/ra3xTIUh/PibHaVCadgX2NR9q6jdiQtmc0SOyNJlMlPZD/Q1NrjXJ18ASny7gCBFItMyMtinVx9xQxQ+PFLB8oNYERw1ejIw== storage-server-smardigo' current_date_time: "{{ lookup('pipe','date +%Y-%m-%d_%H:%M') }}" hcloud_firewall_objects: - name: "{{ stage }}-default" state: present rules: - direction: in protocol: icmp port: '' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: ICMP allowed - direction: in protocol: tcp port: '22' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: SSH allowed - direction: in protocol: tcp port: '80' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: HTTP allowed - direction: in protocol: tcp port: '443' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: HTTPS allowed - direction: in protocol: tcp port: 'any' source_ips: '{{ ip_whitelist_admins }}' destination_ips: [] description: TCP - allow work from home without VPN - direction: in protocol: udp port: 'any' source_ips: '{{ ip_whitelist_admins }}' destination_ips: [] description: UDP - allow work from home without VPN apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-monitoring" state: present rules: - direction: in protocol: tcp port: '9080-9085' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'Server/Service Monitoring' - direction: in protocol: tcp port: '9001' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'PgAdmin' - direction: in protocol: tcp port: '9187' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'Postgres-Exporter' - direction: in protocol: tcp port: '80' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'AWX' apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-monitoring-extern-https" state: present rules: - direction: in protocol: tcp port: '443' source_ips: - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=connect' - type: label_selector label_selector: selector: 'service=keycloak' hetzner_authentication_ansible: "{{ hetzner_authentication_ansible_vault }}" hetzner_authentication_ccm: "{{ hetzner_authentication_ccm_vault }}" hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}" k8s_basic_services: - kubelet - containerd hcloud_firewall_objects_awx: - name: "{{ stage }}-awx-ssh-access-for-k8s-nodes" state: present rules: - direction: in protocol: tcp port: '22' source_ips: "{{ src_ips }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-awx-access-SMA-mgmt-instance" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ src_ips }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=connect,tenant=management' - name: "{{ stage }}-awx-access-443-SMA-peripheral-instances" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ src_ips }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=gitea' - type: label_selector label_selector: selector: 'service=keycloak' - type: label_selector label_selector: selector: 'service=kibana' hcloud_firewall_objects_backup: - name: "{{ stage }}-database-backup-ssh-access" state: present rules: - direction: in protocol: tcp port: '22' source_ips: - "{{ gitlab_storage_server }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=postgres' - type: label_selector label_selector: selector: 'service=maria'