--- hcloud_firewall_objects: - name: "{{ stage }}-default" state: present rules: - direction: in protocol: icmp port: '' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: ICMP allowed - direction: in protocol: tcp port: '22' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: SSH allowed - direction: in protocol: tcp port: '80' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: HTTP allowed - direction: in protocol: tcp port: '443' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: HTTPS allowed - direction: in protocol: tcp port: 'any' source_ips: '{{ ip_whitelist_admins }}' destination_ips: [] description: TCP - allow work from home without VPN - direction: in protocol: udp port: 'any' source_ips: '{{ ip_whitelist_admins }}' destination_ips: [] description: UDP - allow work from home without VPN apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-monitoring" state: present rules: - direction: in protocol: tcp port: '9080-9085' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'Server/Service Monitoring' - direction: in protocol: tcp port: '9001' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'PgAdmin' - direction: in protocol: tcp port: '9187' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'Postgres-Exporter' - direction: in protocol: tcp port: '80' source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'AWX' apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-monitoring-extern-https" state: present rules: - direction: in protocol: tcp port: '443' source_ips: - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=connect' - type: label_selector label_selector: selector: 'service=keycloak' hcloud_firewall_objects_awx: - name: "{{ stage }}-awx-ssh-access-for-k8s-nodes" state: present rules: - direction: in protocol: tcp port: '22' source_ips: "{{ src_ips }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'stage={{ stage }}' - name: "{{ stage }}-awx-access-SMA-mgmt-instance" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ src_ips }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=connect,tenant=management' - name: "{{ stage }}-awx-access-443-SMA-peripheral-instances" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ src_ips }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=gitea' - type: label_selector label_selector: selector: 'service=kibana' hcloud_firewall_objects_backup: - name: "{{ stage }}-backup-ssh-access" state: present rules: - direction: in protocol: tcp port: '22' source_ips: - "{{ offsite_storage_server_ip }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=backup' hcloud_firewall_objects_keycloak: - name: "{{ stage }}-access-to-keycloak" state: present rules: - direction: in protocol: tcp port: '443' source_ips: "{{ ip_whitelist + (keycloak_https_whitelisted_ips | default([])) }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: selector: 'service=keycloak'