You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
83 lines
3.4 KiB
YAML
83 lines
3.4 KiB
YAML
---
|
|
- name: "Getting ips for all monitoring servers"
|
|
set_fact:
|
|
prometheus_endpoints:
|
|
- "{{ lookup('community.general.dig', 'devnso-prometheus-01.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodnso-prometheus-01.' + domain ) }}"
|
|
vpn_nodes:
|
|
- "{{ lookup('community.general.dig', 'devnso-vpn-01.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodnso-vpn-01.' + domain ) }}"
|
|
k8s_nodes_devnso:
|
|
- "{{ lookup('community.general.dig', 'devnso-kube-node-01.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'devnso-kube-node-02.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'devnso-kube-node-03.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'devnso-kube-node-04.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'devnso-kube-node-05.' + domain ) }}"
|
|
k8s_nodes_prodnso:
|
|
- "{{ lookup('community.general.dig', 'prodnso-kube-node-01.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodnso-kube-node-02.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodnso-kube-node-03.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodnso-kube-node-04.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodnso-kube-node-05.' + domain ) }}"
|
|
k8s_nodes_mobene:
|
|
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-01.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-02.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-03.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-04.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-05.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-06.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'prodwork01-kube-node-07.' + domain ) }}"
|
|
k8s_nodes_demompmx:
|
|
- "{{ lookup('community.general.dig', 'demompmx-kube-node-01.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'demompmx-kube-node-02.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'demompmx-kube-node-03.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'demompmx-kube-node-04.' + domain ) }}"
|
|
- "{{ lookup('community.general.dig', 'demompmx-kube-node-05.' + domain ) }}"
|
|
|
|
- name: "Allow SSH in UFW"
|
|
ufw:
|
|
rule: limit
|
|
port: 22
|
|
proto: tcp
|
|
src: "{{ item }}"
|
|
loop: "{{ ip_whitelist_netgo + vpn_nodes }}"
|
|
|
|
- name: "Allow node-exporter in UFW with port <{{ service_port_node_exporter }}>"
|
|
ufw:
|
|
rule: allow
|
|
port: "{{ service_port_node_exporter }}"
|
|
proto: tcp
|
|
src: "{{ item }}"
|
|
loop: "{{ prometheus_endpoints }}"
|
|
|
|
- name: "Allow blackbox-exporter in UFW with port <{{ service_port_blackbox_exporter }}>"
|
|
ufw:
|
|
rule: allow
|
|
port: "{{ service_port_blackbox_exporter }}"
|
|
proto: tcp
|
|
src: "{{ item }}"
|
|
loop: "{{ prometheus_endpoints + k8s_nodes_mobene + k8s_nodes_devnso + k8s_nodes_prodnso + k8s_nodes_demompmx }}"
|
|
|
|
- name: "Set firewall default policy"
|
|
ufw:
|
|
state: enabled
|
|
policy: reject
|
|
|
|
- name: "configure ssh_hardening"
|
|
include_role:
|
|
name: devsec.hardening.ssh_hardening
|
|
apply:
|
|
tags:
|
|
- ssh_hardening
|
|
tags:
|
|
- ssh_hardening
|
|
|
|
- name: "Install blackbox-exporter via include_role"
|
|
include_role:
|
|
name: cloudalchemy.blackbox-exporter
|
|
apply:
|
|
tags:
|
|
- blackbox
|
|
tags:
|
|
- blackbox
|