hetzner-ansible/.gitlab-ci.yml

---
variables:
  AWX_EE_DOCKER_IMAGE_EXTERN: "harbor-01.smardigo.digital/awx/awx-custom-ee"
  ANSIBLE_HOST_KEY_CHECKING: "false"
  ANSIBLE_FORCE_COLOR: "true"

image: docker.dev-at.de/gitlab/gitlab-ci-ansible:latest

services:
  - name: docker.dev-at.de/gitlab/gitlab-ci-ansible:latest
    alias: docker

stages:
  - lint
  - ansible-builder
  - run-setup
  - run-setup-digitalocean
  - run-update
  - run-patchday-harbor
  - run-patchday-elastic
  - run-patchday-database
  - run-patchday-all
  - run-hcloud-firewall

###############################################################################
###   http://patorjk.com/software/taag/#p=display&f=Doom&t=lint
###    _ _       _
###   | (_)     | |
###   | |_ _ __ | |_
###   | | | '_ \| __|
###   | | | | | | |_
###   |_|_|_| |_|\__|
###
###############################################################################

lint-job:
  stage: lint
  script:
    - echo "Running lint to check for linting violations"
    - ansible-lint -c ansible-lint.cfg
  only:
    - branches
  except:
    - schedules
  tags:
    - dind

###############################################################################
###   https://patorjk.com/software/taag/#p=display&f=Doom&t=ansible-builder
###                    _ _     _             _           _ _     _
###                   (_) |   | |           | |         (_) |   | |
###     __ _ _ __  ___ _| |__ | | ___ ______| |__  _   _ _| | __| | ___ _ __
###    / _` | '_ \/ __| | '_ \| |/ _ \______| '_ \| | | | | |/ _` |/ _ \ '__|
###   | (_| | | | \__ \ | |_) | |  __/      | |_) | |_| | | | (_| |  __/ |
###    \__,_|_| |_|___/_|_.__/|_|\___|      |_.__/ \__,_|_|_|\__,_|\___|_|
###
###############################################################################

.builder-job:
  stage: ansible-builder
  before_script:
    - echo "CI_ENVIRONMENT_NAME=$CI_ENVIRONMENT_NAME"
  script:
    - cp $SSH_KEY_GITLAB_CI_BUILDER_FILE ansible-builder/context/id_ed25519
    - echo "Running ansible-builder to build awx execution environment"
    - ansible-builder build -f ansible-builder/execution-environment.yml --tag ${CI_ENVIRONMENT_NAME}-${AWX_EE_DOCKER_IMAGE_EXTERN}:latest -c ansible-builder/context
    - docker push ${CI_ENVIRONMENT_NAME}-${AWX_EE_DOCKER_IMAGE_EXTERN}:latest
  except:
    - schedules
  tags:
    - dind
    - harbor # 05.02.22 TODO some runners run into timeouts

.builder-job-devnso:
  extends: .builder-job
  environment: devnso
  resource_group: devnso
  before_script:
    - export STAGE=devnso
  only:
    refs:
      - main

builder-job-devnso-automatic:
  extends: .builder-job-devnso
  only:
    changes:
      - pip-requirements
      - galaxy-requirements.yml
      - ansible-builder/**/*

builder-job-devnso-manual:
  extends: .builder-job-devnso
  when: manual

.builder-job-qanso:
  extends: .builder-job
  environment: qanso
  resource_group: qanso
  before_script:
    - export STAGE=qanso
  only:
    refs:
      - qanso

builder-job-qanso-automatic:
  extends: .builder-job-qanso
  only:
    changes:
      - pip-requirements
      - galaxy-requirements.yml
      - ansible-builder/**/*

builder-job-qanso-manual:
  extends: .builder-job-qanso
  when: manual

.builder-job-prodnso:
  extends: .builder-job
  environment: prodnso
  resource_group: prodnso
  before_script:
    - export STAGE=prodnso
  only:
    refs:
      - prodnso

builder-job-prodnso-automatic:
  extends: .builder-job-prodnso
  only:
    changes:
      - pip-requirements
      - galaxy-requirements.yml
      - ansible-builder/**/*

builder-job-prodnso-manual:
  extends: .builder-job-prodnso
  when: manual

###############################################################################
# Environment specific AWX image from predefined variable $CI_ENVIRONMENT_NAME
.run-ansible:
  image: $CI_ENVIRONMENT_NAME-$AWX_EE_DOCKER_IMAGE_EXTERN:latest
  tags:
    - dind
    - harbor # 05.02.22 TODO some runners run into timeouts

###############################################################################
###   http://patorjk.com/software/taag/#p=display&f=Doom&t=setup.yml
###             _                               _
###            | |                             | |
###    ___  ___| |_ _   _ _ __  _   _ _ __ ___ | |
###   / __|/ _ \ __| | | | '_ \| | | | '_ ` _ \| |
###   \__ \  __/ |_| |_| | |_) | |_| | | | | | | |
###   |___/\___|\__|\__,_| .__(_)__, |_| |_| |_|_|
###                      | |     __/ |
###                      |_|    |___/
###
###############################################################################

.run-setup:
  extends: .run-ansible
  stage: run-setup
  before_script:
    - echo "CI_ENVIRONMENT_NAME=$CI_ENVIRONMENT_NAME"
  script:
    - "command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )"
    - eval $(ssh-agent -s)
    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
    - mkdir -p ~/.ssh
    - chmod 0700 ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
    - ssh-add -L
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
  after_script:
    - rm /tmp/vault-pass
  except:
    - schedules

run-setup-devnso:
  extends: .run-setup
  environment: devnso
  resource_group: devnso
  before_script:
    - export STAGE=devnso
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
  only:
    - main

run-setup-devscr:
  extends: .run-setup
  environment: devnso
  resource_group: devscr
  before_script:
    - export STAGE=devscr
    - echo "${ANSIBLE_VAULT_PASS_DEVSCR}" > /tmp/vault-pass
  only:
    - main

run-setup-qanso:
  extends: .run-setup
  environment: qanso
  resource_group: qanso
  before_script:
    - export STAGE=qanso
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
  only:
    - qanso

run-setup-prodnso:
  extends: .run-setup
  environment: prodnso
  resource_group: prodnso
  before_script:
    - export STAGE=prodnso
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
  only:
    - prodnso

run-setup-prodwork01:
  extends: .run-setup
  environment: prodnso
  resource_group: prodwork01
  before_script:
    - export STAGE=prodwork01
    - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
  only:
    - prodnso

run-setup-demompmx:
  extends: .run-setup
  environment: prodnso
  resource_group: demompmx
  before_script:
    - export STAGE=demompmx
    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
  only:
    - prodnso

###############################################################################
###   http://patorjk.com/software/taag/#p=display&f=Doom&t=vpn.yml
###                                       _
###                                      | |
###   __   ___ __  _ __   _   _ _ __ ___ | |
###   \ \ / / '_ \| '_ \ | | | | '_ ` _ \| |
###    \ V /| |_) | | | || |_| | | | | | | |
###     \_/ | .__/|_| |_(_)__, |_| |_| |_|_|
###         | |            __/ |
###         |_|           |___/
###
###############################################################################

.vpn-config-update:
  extends: .run-ansible
  # A resource group ensures a job is mutually exclusive across different pipelines for the same project.
  stage: run-update
  script:
    - "command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )"
    - eval $(ssh-agent -s)
    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
    - mkdir -p ~/.ssh
    - chmod 0700 ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
    - ssh-add -L
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml vpn.yml --vault-password-file /tmp/vault-pass -u gitlabci
  only:
    changes:
      - usser/**/wireguard.yml
  except:
    - schedules
  tags:
    - dind
    - harbor # 05.02.22 TODO some runners run into timeouts

run-vpn-update-devnso:
  extends: .vpn-config-update
  environment: devnso
  # A resource group ensures a job is mutually exclusive across different pipelines for the same project.
  resource_group: devnso
  before_script:
    - export STAGE=devnso
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
  only:
    - main

run-vpn-update-qanso:
  extends: .vpn-config-update
  environment: qanso
  # A resource group ensures a job is mutually exclusive across different pipelines for the same project.
  resource_group: qanso
  before_script:
    - export STAGE=qanso
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
  only:
    - qanso

run-vpn-update-prodnso:
  extends: .vpn-config-update
  environment: prodnso
  # A resource group ensures a job is mutually exclusive across different pipelines for the same project.
  resource_group: prodnso
  before_script:
    - export STAGE=prodnso
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
  only:
    - prodnso

###############################################################################
###   http://patorjk.com/software/taag/#p=display&f=Doom&t=smardigo.yml
###
###                                _ _                             _
###                               | (_)                           | |
###    ___ _ __ ___   __ _ _ __ __| |_  __ _  ___  _   _ _ __ ___ | |
###   / __| '_ ` _ \ / _` | '__/ _` | |/ _` |/ _ \| | | | '_ ` _ \| |
###   \__ \ | | | | | (_| | | | (_| | | (_| | (_) | |_| | | | | | | |
###   |___/_| |_| |_|\__,_|_|  \__,_|_|\__, |\___(_)__, |_| |_| |_|_|
###                                     __/ |       __/ |
###                                    |___/       |___/
###
###############################################################################

.run-management-update:
  extends: .run-ansible
  stage: run-update
  script:
    - "command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )"
    - eval $(ssh-agent -s)
    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
    - mkdir -p ~/.ssh
    - chmod 0700 ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
    - ssh-add -L
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - ansible-playbook -i stage-$STAGE smardigo.yml --vault-password-file=/tmp/vault-pass -l management -t update_configurations -u gitlabci
  after_script:
    - rm /tmp/vault-pass
  only:
    changes:
      - smardigo/**/*
  except:
    - schedules

run-management-update-devnso:
  extends: .run-management-update
  environment: devnso
  resource_group: devnso
  before_script:
    - export STAGE=devnso
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
  only:
    - main

run-management-update-qanso:
  extends: .run-management-update
  environment: qanso
  resource_group: qanso
  before_script:
    - export STAGE=qanso
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
  only:
    - qanso

run-management-update-prodnso:
  extends: .run-management-update
  environment: prodnso
  resource_group: prodnso
  before_script:
    - export STAGE=prodnso
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
  only:
    - prodnso

run-management-update-demompmx:
  extends: .run-management-update
  environment: prodnso
  resource_group: demompmx
  before_script:
    - export STAGE=demompmx
    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
  only:
    - prodnso

###############################################################################
###   http://patorjk.com/software/taag/#p=display&f=Doom&t=patchday.yml
###                _       _         _                              _
###               | |     | |       | |                            | |
###    _ __   __ _| |_ ___| |__   __| | __ _ _   _  _   _ _ __ ___ | |
###   | '_ \ / _` | __/ __| '_ \ / _` |/ _` | | | || | | | '_ ` _ \| |
###   | |_) | (_| | || (__| | | | (_| | (_| | |_| || |_| | | | | | | |
###   | .__/ \__,_|\__\___|_| |_|\__,_|\__,_|\__, (_)__, |_| |_| |_|_|
###   | |                                     __/ |  __/ |
###   |_|                                    |___/  |___/
###
###############################################################################

.run-patchday:
  extends: .run-ansible
  before_script:
    - "command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )"
    - eval $(ssh-agent -s)
    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
    - mkdir -p ~/.ssh
    - chmod 0700 ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
    - ssh-add -L
  timeout: 2h

run-patchday-harbor-devnso:
  extends: .run-patchday
  environment: devnso
  stage: run-patchday-harbor
  resource_group: devnso
  script:
    - export STAGE=devnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'harbor'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"

run-patchday-elastic-devnso:
  extends: .run-patchday
  environment: devnso
  stage: run-patchday-elastic
  resource_group: devnso
  script:
    - export STAGE=devnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'elastic'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
  when: manual # Disable automatic execution of this Stage. We have no Elastic hosts in devnso currently.

run-patchday-database-postgres-devnso:
  extends: .run-patchday
  environment: devnso
  stage: run-patchday-database
  resource_group: devnso
  script:
    - export STAGE=devnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'postgres'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"

run-patchday-database-maria-devnso:
  extends: .run-patchday
  environment: devnso
  stage: run-patchday-database
  resource_group: devnso
  script:
    - export STAGE=devnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'maria'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"

run-patchday-all-devnso:
  extends: .run-patchday
  environment: devnso
  stage: run-patchday-all
  resource_group: devnso
  script:
    - export STAGE=devnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'all:!harbor:!elastic:!postgres:!maria:!k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"

run-patchday-all-k8s-devnso:
  extends: .run-patchday
  environment: devnso
  stage: run-patchday-all
  resource_group: devnso
  script:
    - export STAGE=devnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"

run-patchday-all-k8s-devscr:
  extends: .run-patchday
  environment: devnso
  stage: run-patchday-all
  resource_group: devscr
  script:
    - export STAGE=devscr
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEVSCR}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"

run-patchday-harbor-qanso:
  extends: .run-patchday
  environment: qanso
  stage: run-patchday-harbor
  resource_group: qanso
  script:
    - export STAGE=qanso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'harbor'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "qanso"

run-patchday-elastic-qanso:
  extends: .run-patchday
  environment: qanso
  stage: run-patchday-elastic
  resource_group: qanso
  script:
    - export STAGE=qanso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'elastic'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "qanso"
  when: manual # Disable automatic execution of this Stage. We have no Elastic hosts in devnso currently.

run-patchday-database-postgres-qanso:
  extends: .run-patchday
  environment: qanso
  stage: run-patchday-database
  resource_group: qanso
  script:
    - export STAGE=qanso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'postgres'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "qanso"

run-patchday-database-maria-qanso:
  extends: .run-patchday
  environment: qanso
  stage: run-patchday-database
  resource_group: qanso
  script:
    - export STAGE=qanso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'maria'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "qanso"

run-patchday-all-qanso:
  extends: .run-patchday
  environment: qanso
  stage: run-patchday-all
  resource_group: qanso
  script:
    - export STAGE=qanso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'all:!harbor:!elastic:!postgres:!maria:!k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "qanso"

run-patchday-all-k8s-qanso:
  extends: .run-patchday
  environment: qanso
  stage: run-patchday-all
  resource_group: qanso
  script:
    - export STAGE=qanso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "qanso"

run-patchday-harbor-prodnso:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-harbor
  resource_group: prodnso
  script:
    - export STAGE=prodnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'harbor'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-elastic-prodnso:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-elastic
  resource_group: prodnso
  script:
    - export STAGE=prodnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'elastic'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"
  when: manual # Disable automatic execution of this Stage. We have no Elastic hosts in devnso currently.

run-patchday-database-postgres-prodnso:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-database
  resource_group: prodnso
  script:
    - export STAGE=prodnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'postgres'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-database-maria-prodnso:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-database
  resource_group: prodnso
  script:
    - export STAGE=prodnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'maria'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-all-prodnso:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-all
  resource_group: prodnso
  script:
    - export STAGE=prodnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'all:!harbor:!elastic:!postgres:!maria:!k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-all-k8s-prodnso:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-all
  resource_group: prodnso
  script:
    - export STAGE=prodnso
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-all-prodwork01:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-all
  resource_group: prodwork01
  script:
    - export STAGE=prodwork01
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'all:!k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-all-k8s-prodwork01:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-all
  resource_group: prodwork01
  script:
    - export STAGE=prodwork01
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-database-postgres-demompmx:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-database
  resource_group: demompmx
  script:
    - export STAGE=demompmx
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'postgres'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-database-maria-demompmx:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-database
  resource_group: demompmx
  script:
    - export STAGE=demompmx
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'maria'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-all-demompmx:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-all
  resource_group: demompmx
  script:
    - export STAGE=demompmx
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'all:!postgres:!maria:!k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

run-patchday-all-k8s-demompmx:
  extends: .run-patchday
  environment: prodnso
  stage: run-patchday-all
  resource_group: demompmx
  script:
    - export STAGE=demompmx
    - export HETZNER_LABEL_SELECTOR="stage=${STAGE}"
    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
    - ansible-playbook -i stage-${STAGE}-netgo-hcloud.yml patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci --limit 'k8s_cluster'
  after_script:
    - rm /tmp/vault-pass
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"

###############################################################################
###   http://patorjk.com/software/taag/#p=display&f=Doom&t=hcloud-firewall.yml
###
###    _          _                 _         __ _                        _ _                  _
###   | |        | |               | |       / _(_)                      | | |                | |
###   | |__   ___| | ___  _   _  __| |______| |_ _ _ __ _____      ____ _| | | _   _ _ __ ___ | |
###   | '_ \ / __| |/ _ \| | | |/ _` |______|  _| | '__/ _ \ \ /\ / / _` | | || | | | '_ ` _ \| |
###   | | | | (__| | (_) | |_| | (_| |      | | | | | |  __/\ V  V / (_| | | || |_| | | | | | | |
###   |_| |_|\___|_|\___/ \__,_|\__,_|      |_| |_|_|  \___| \_/\_/ \__,_|_|_(_)__, |_| |_| |_|_|
###                                                                             __/ |
###                                                                            |___/
###
###############################################################################

.run-hcloud-firewall:
  extends: .run-ansible
  stage: run-hcloud-firewall
  script:
    - ansible-playbook -e "stage=${STAGE}" hcloud_firewall.yml --vault-password-file /tmp/vault-pass
  after_script:
    - rm /tmp/vault-pass
  except:
    - schedules

run-hcloud-firewall-devnso:
  extends: .run-hcloud-firewall
  environment: devnso
  resource_group: devnso
  before_script:
    - export STAGE=devnso
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
  only:
    - main

run-hcloud-firewall-devscr:
  extends: .run-hcloud-firewall
  environment: devnso
  resource_group: devscr
  before_script:
    - export STAGE=devscr
    - echo "${ANSIBLE_VAULT_PASS_DEVSCR}" > /tmp/vault-pass
  only:
    - main

run-hcloud-firewall-qanso:
  extends: .run-hcloud-firewall
  environment: qanso
  resource_group: qanso
  before_script:
    - export STAGE=qanso
    - echo "${ANSIBLE_VAULT_PASS_QANSO}" > /tmp/vault-pass
  only:
    - qanso

run-hcloud-firewall-prodnso:
  extends: .run-hcloud-firewall
  environment: prodnso
  resource_group: prodnso
  before_script:
    - export STAGE=prodnso
    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
  only:
    - prodnso

run-hcloud-firewall-prodwork01:
  extends: .run-hcloud-firewall
  environment: prodnso
  resource_group: prodwork01
  before_script:
    - export STAGE=prodwork01
    - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
  only:
    - prodnso

run-hcloud-firewall-demompmx:
  extends: .run-hcloud-firewall
  environment: prodnso
  resource_group: demompmx
  before_script:
    - export STAGE=demompmx
    - echo "${ANSIBLE_VAULT_PASS_DEMOMPMX}" > /tmp/vault-pass
  only:
    - prodnso

###############################################################################
###   http://patorjk.com/software/taag/#p=display&f=Doom&t=Digitialocean
###
###   ______ _       _ _   _       _
###   |  _  (_)     (_) | (_)     | |
###   | | | |_  __ _ _| |_ _  __ _| | ___   ___ ___  __ _ _ __
###   | | | | |/ _` | | __| |/ _` | |/ _ \ / __/ _ \/ _` | '_ \
###   | |/ /| | (_| | | |_| | (_| | | (_) | (_|  __/ (_| | | | |
###   |___/ |_|\__, |_|\__|_|\__,_|_|\___/ \___\___|\__,_|_| |_|
###             __/ |
###            |___/
###
###############################################################################

run-setup-digitalocean:
  extends: .run-ansible
  environment: devnso
  stage: run-setup
  before_script:
    - export STAGE=devnso
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
  script:
    - "command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )"
    - eval $(ssh-agent -s)
    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
    - mkdir -p ~/.ssh
    - chmod 0700 ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
    - ssh-add -L
    - ansible-playbook -i stage-digitalocean setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
    - ansible-playbook -i stage-digitalocean smardigo.yml --vault-password-file /tmp/vault-pass -u gitlabci
  after_script:
    - rm /tmp/vault-pass
  only:
    - main
  except:
    - schedules

run-patchday-devnso-digitalocean:
  extends: .run-ansible
  environment: devnso
  stage: run-patchday-all
  before_script:
    - echo "${ANSIBLE_VAULT_PASS_DEVNSO}" > /tmp/vault-pass
  script:
    - "command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )"
    - eval $(ssh-agent -s)
    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
    - mkdir -p ~/.ssh
    - chmod 0700 ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
    - ssh-add -L
    - ansible-playbook -i stage-digitalocean patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
  after_script:
    - rm /tmp/vault-pass
  timeout: 2h
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"