gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
prodnso
main
qa
feature/DEV-655
feature/SC-124
feature/SC-55
feature/DEV-470_2nd
feature/DEV-380_2nd
feature/DEV-380
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0c9042da83'
${ noResults }
hetzner-ansible/group_vars/all/plain.yml

409 lines
10 KiB
YAML
Raw Blame History

---
debug: false
ssh_macs:
- umac-128-etm@openssh.com
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
ssh_host_key_algorithms:
- rsa-sha2-512
- rsa-sha2-256
- ssh-ed25519
ssh_kex:
- curve25519-sha256
- curve25519-sha256@libssh.org
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group18-sha512
- diffie-hellman-group14-sha256
ssh_ciphers:
- chacha20-poly1305@openssh.com
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-gcm@openssh.com
- aes256-gcm@openssh.com
ssh_permit_root_login: 'yes'
docker_enabled: true
docker_config_enabled: true
traefik_enabled: true
filebeat_enabled: true
metricbeat_enabled: false
node_exporter_enabled: true
common_apt_dependencies:
- mc
- vim
# TODO Check if we really want this
- zip
- curl
- htop
- net-tools
- bash-completion
- python3-pip
common_pip_dependencies:
- docker-compose
use_ssl: true
http_s: "http{{ use_ssl | ternary('s', '', omit) }}"
domain: "smardigo.digital"
stage_server_domain: "{{ inventory_hostname }}.{{ domain }}"
stage_server_url: "{{ http_s }}://{{ stage_server_domain }}"
alertmanager_channel_smardigo: "#monitoring-{{ stage }}"
hetzner_server_type: cx11
hetzner_server_image: ubuntu-20.04
awx_ansible_user_name: "awx"
awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}"
awx_credential_machine_hetzner_name: hetzner-ansible-ssh
gitlab_ansible_user_name: "gitlabci"
backupuser_user_name: backupuser
# used for root-access by hetzner on server creation (@see cloud console/security/ssh-keys)
hetzner_ssh_keys:
- "claus.paetow@netgo.de"
- "friedrich.goerz@netgo.de"
- "peter.heise@netgo.de"
- "sven.ketelsen@netgo.de"
- "{{ awx_ansible_user_name }}@netgo.de"
- "{{ gitlab_ansible_user_name }}@git.dev-at.de"
hetzner_server_labels: "stage={{ stage }}"
admin_user: "root"
sudo_groups: [
{
id: "CentOS",
sudo_group: "wheel",
},
{
id: "RedHat",
sudo_group: "wheel",
},
{
id: "Ubuntu",
sudo_group: "sudo",
},
]
sudo_group: "{{ sudo_groups
| selectattr('id', 'match', '' + ansible_distribution + '' )
| map(attribute='sudo_group')
| list
| first
| replace('.','-') }}"
# whitelist for outdated user detection - they wont't be deleted at all
default_users:
- 'nobody'
- 'elastic'
- 'postgres'
- 'administrator'
- '{{ admin_user }}'
default_plattform_users:
- 'claus.paetow'
- 'friedrich.goerz'
- 'peter.heise'
- 'sven.ketelsen'
- '{{ awx_ansible_user_name }}'
- '{{ gitlab_ansible_user_name }}'
smardigo_plattform_users: "{{ default_plattform_users + custom_plattform_users | default([]) }}"
ip_whitelist_admins:
- "79.215.10.239/32" # sven
- "212.86.56.112/32" # peter
ip_whitelist:
- "212.121.131.106/32" # netgo berlin
- "149.233.6.129/32" # netgo e-shelter
- "46.245.219.98/32" # netgo borken
- "{{ shared_service_network }}"
# for test purpose DEV-361
# currently (2022.03.18) set to IP of hetzner VM
gitlab_storage_server: 167.235.18.147/32
docker_owner: "{{ admin_user }}"
docker_group: "{{ admin_user }}"
docker_users: "{{ smardigo_plattform_users }}"
docker_compose_version: "1.29.2"
docker_compose_path: "/usr/bin/docker-compose"
service_base_path: '/etc/smardigo'
gitea_admin_email: "nso.devops@netgo.de"
lets_encrypt_email: "nso.devops@netgo.de"
connect_admin_email: "nso.devops@netgo.de"
keycloak_admin_email: "nso.devops@netgo.de"
pgadmin4_admin_email: "nso.devops@netgo.de"
harbor_oidc_admin_email: "nso.devops@netgo.de"
http_port: "80"
https_port: "443"
service_port: "8080"
management_port: "8081"
service_port_mssql: "1433"
service_port_git: "2222"
service_port_mysql: "3306"
service_port_logstash: "5044"
service_port_postgres: "5432"
service_port_kibana: "5601"
service_port_cadvisor: "8080"
service_port_webdav: "8080"
service_port_keycloak: "8080"
service_port_iam: "8082"
service_port_sonarqube: "9000"
service_port_pgadmin: "9001"
service_port_phpmyadmin: "9002"
service_port_node_exporter: "9100"
service_port_elasticsearch: "9200"
monitor_port_system: "9082"
monitor_port_docker: "9083"
monitor_port_elastic: "9084"
monitor_port_harbor: "9085"
monitor_port_maria: "9086"
monitor_port_postgres: "9087"
admin_port_service: "9081"
admin_port_traefik: "9080"
connect_id: "{{ inventory_hostname }}-connect"
connect_base_url: "{{ connect_id }}.{{ domain }}"
wordpress_id: "{{ inventory_hostname }}-wordpress"
wordpress_base_url: "{{ wordpress_id }}.{{ domain }}"
smardigo_auth_token_name: "Smardigo-User-Token"
filebeat_certificate: "{{ stage }}-elastic-stack-filebeat"
logstash_certificate: "{{ stage }}-elastic-stack-logstash-01"
backup_directory: "/backups"
blackbox_exporter_fqdn: "dev-blackbox-01.{{ domain }}"
blackbox_http_2xx_targets:
- 'https://{{ stage }}-keycloak-01.smardigo.digital/auth/'
#- 'https://{{ stage }}-management-01-connect.smardigo.digital/'
blackbox_http_2xx_additional_targets: []
prometheus_federation_enabled: true
kubernetes_prometheus_endpoint: "{{ stage }}-kube-prometheus.{{ domain }}"
get_current_date: "{{ lookup('pipe','date +%Y-%m-%d') }}"
get_current_date_time: "{{ lookup('pipe','date +%Y-%m-%d_%H:%M') }}"
hcloud_firewall_objects:
-
name: "{{ stage }}-default"
state: present
rules:
-
direction: in
protocol: icmp
port: ''
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: ICMP allowed
-
direction: in
protocol: tcp
port: '22'
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: SSH allowed
-
direction: in
protocol: tcp
port: '80'
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: HTTP allowed
-
direction: in
protocol: tcp
port: '443'
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: HTTPS allowed
-
direction: in
protocol: tcp
port: 'any'
source_ips: '{{ ip_whitelist_admins }}'
destination_ips: []
description: TCP - allow work from home without VPN
-
direction: in
protocol: udp
port: 'any'
source_ips: '{{ ip_whitelist_admins }}'
destination_ips: []
description: UDP - allow work from home without VPN
apply_to:
-
type: label_selector
label_selector:
selector: 'stage={{ stage }}'
-
name: "{{ stage }}-monitoring"
state: present
rules:
-
direction: in
protocol: tcp
port: '9080-9085'
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: 'Server/Service Monitoring'
-
direction: in
protocol: tcp
port: '9001'
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: 'PgAdmin'
-
direction: in
protocol: tcp
port: '9187'
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: 'Postgres-Exporter'
-
direction: in
protocol: tcp
port: '80'
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: 'AWX'
apply_to:
-
type: label_selector
label_selector:
selector: 'stage={{ stage }}'
-
name: "{{ stage }}-monitoring-extern-https"
state: present
rules:
-
direction: in
protocol: tcp
port: '443'
source_ips:
- "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32"
destination_ips: []
description: null
apply_to:
-
type: label_selector
label_selector:
selector: 'service=connect'
-
type: label_selector
label_selector:
selector: 'service=keycloak'
hetzner_authentication_ansible: "{{ hetzner_authentication_ansible_vault }}"
hetzner_authentication_ccm: "{{ hetzner_authentication_ccm_vault }}"
hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}"
k8s_basic_services:
- kubelet
- containerd
hcloud_firewall_objects_awx:
-
name: "{{ stage }}-awx-ssh-access-for-k8s-nodes"
state: present
rules:
-
direction: in
protocol: tcp
port: '22'
source_ips: "{{ src_ips }}"
destination_ips: []
description: null
apply_to:
-
type: label_selector
label_selector:
selector: 'stage={{ stage }}'
-
name: "{{ stage }}-awx-access-SMA-mgmt-instance"
state: present
rules:
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ src_ips }}"
destination_ips: []
description: null
apply_to:
-
type: label_selector
label_selector:
selector: 'service=connect,tenant=management'
-
name: "{{ stage }}-awx-access-443-SMA-peripheral-instances"
state: present
rules:
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ src_ips }}"
destination_ips: []
description: null
apply_to:
-
type: label_selector
label_selector:
selector: 'service=gitea'
-
type: label_selector
label_selector:
selector: 'service=keycloak'
-
type: label_selector
label_selector:
selector: 'service=kibana'
hcloud_firewall_objects_backup:
-
name: "{{ stage }}-database-backup-ssh-access"
state: present
rules:
-
direction: in
protocol: tcp
port: '22'
source_ips:
- "{{ gitlab_storage_server }}"
destination_ips: []
description: null
apply_to:
-
type: label_selector
label_selector:
selector: 'service=postgres'
-
type: label_selector
label_selector:
selector: 'service=maria'
-
type: label_selector
label_selector:
selector: 'service=restore'
Reference in New Issue View Git Blame Copy Permalink