--- hcloud_firewall_objects: - name: "{{ stage }}-default" state: present rules: - direction: in protocol: icmp port: '' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: "ICMP allowed" - direction: in protocol: tcp port: '22' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: "Allow access to SSH for whitelisted ips" - direction: in protocol: tcp port: '80' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: "Allow access to HTTP for whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: "Allow access to HTTPS for whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-monitoring" state: present rules: - direction: in protocol: tcp port: '9080-9085' source_ips: '{{ ip_whitelist + [ lookup("community.general.dig", stage + "-prometheus-01." + domain ) + "/32"] }}' destination_ips: [] description: "Allow access to Server/Service Monitoring for whitelisted ips" - direction: in protocol: tcp port: '9001' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: "Allow access to PgAdmin Monitoring for whitelisted ips" - direction: in protocol: tcp port: '9187' source_ips: '{{ ip_whitelist }}' destination_ips: [] description: "Allow access to Postgres-Exporter Monitoring for whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-monitoring-extern-https" state: present rules: - direction: in protocol: tcp port: '443' source_ips: - "{{ lookup('community.general.dig', '{{ shared_service_hostname_blackbox_exporter }}' ) }}/32" destination_ips: [] description: "Allow access to Blackbox Monitoring for whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service=connect' - type: label_selector label_selector: selector: 'stage={{ stage }},service=keycloak' - name: "{{ stage }}-access-to-kubernetes-api" state: present rules: - direction: in protocol: tcp port: '6443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access to K8-API for whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service=kube_control_plane' hcloud_firewall_objects_awx: - name: "{{ stage }}-awx-ssh-access-for-k8s-nodes" state: present rules: - direction: in protocol: tcp port: '22' source_ips: "{{ k8s_worker_node_ips }}" destination_ips: [] description: "Allow access to SSH from kubernetes worker nodes" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service' hcloud_firewall_objects_vpn: - name: "{{ stage }}-vpn-access" state: present rules: - direction: in protocol: udp port: "{{ service_port_wireguard }}" source_ips: - "0.0.0.0/0" destination_ips: [] description: "Allow access to VPN" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service=vpn' hcloud_firewall_objects_backup: - name: "{{ stage }}-backup-ssh-access" state: present rules: - direction: in protocol: tcp port: '22' source_ips: - "{{ offsite_storage_server_ip }}" destination_ips: [] description: "Allow access to BACKUP from offsite" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service=backup' hcloud_firewall_objects_gitea: - name: "{{ stage }}-access-to-gitea" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access to GITEA for whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}" destination_ips: [] description: "Allow access to GITEA for kubernetes worker nodes" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + (gitea_https_whitelisted_ips | default([])) }}" destination_ips: [] description: "Allow access to GITEA for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service=gitea' hcloud_firewall_objects_keycloak: - name: "{{ stage }}-access-to-keycloak" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access to KEYCLOAK for custom whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}" destination_ips: [] description: "Allow access to KEYCLOAK for kubernetes worker nodes" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + (keycloak_https_whitelisted_ips | default([])) }}" destination_ips: [] description: "Allow access to KEYCLOAK for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service=keycloak' hcloud_firewall_objects_kibana: - name: "{{ stage }}-access-to-kibana" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access to KIBANA for whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}" destination_ips: [] description: "Allow access to KIBANA for kubernetes worker nodes" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + (kibana_https_whitelisted_ips | default([])) }}" destination_ips: [] description: "Allow access to KIBANA for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service=kibana' hcloud_firewall_objects_management: - name: "{{ stage }}-access-to-management" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist }}" destination_ips: [] description: "Allow access to MANAGEMENT for whitelisted ips" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}" destination_ips: [] description: "Allow access to MANAGEMENT for kubernetes worker nodes" - direction: in protocol: tcp port: '443' source_ips: "{{ [shared_service_network] + (management_https_whitelisted_ips | default([])) }}" destination_ips: [] description: "Allow access to MANAGEMENT for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }},service=connect,tenant=management'