hetzner-ansible/group_vars/all/firewall.yml

---
hcloud_firewall_objects:
   -
     name: "{{ stage }}-default"
     state: present
     rules:
     -
        direction: in
        protocol: icmp
        port: ''
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: "ICMP allowed"
     -
        direction: in
        protocol: tcp
        port: '22'
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: "Allow access to SSH for whitelisted ips"
     -
        direction: in
        protocol: tcp
        port: '80'
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: "Allow access to HTTP for whitelisted ips"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: "Allow access to HTTPS for whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }}'
   -
     name: "{{ stage }}-monitoring"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '9080-9085'
        source_ips: '{{ ip_whitelist + [ lookup("community.general.dig", stage + "-prometheus-01." + domain ) + "/32"]  }}'
        destination_ips: []
        description: "Allow access to Server/Service Monitoring for whitelisted ips"
     -
        direction: in
        protocol: tcp
        port: '9001'
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: "Allow access to PgAdmin Monitoring for whitelisted ips"
     -
        direction: in
        protocol: tcp
        port: '9187'
        source_ips: '{{ ip_whitelist }}'
        destination_ips: []
        description: "Allow access to Postgres-Exporter Monitoring for whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }}'
   -
     name: "{{ stage }}-monitoring-extern-https"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips:
         - "{{ lookup('community.general.dig', '{{ shared_service_hostname_blackbox_exporter }}' ) }}/32"
        destination_ips: []
        description: "Allow access to Blackbox Monitoring for whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=connect'
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=keycloak'
   -
     name: "{{ stage }}-access-to-kubernetes-api"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '6443'
        source_ips: "{{ ip_whitelist }}"
        destination_ips: []
        description: "Allow access to K8-API for whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=kube_control_plane'

hcloud_firewall_objects_awx:
   -
     name: "{{ stage }}-awx-ssh-access-for-k8s-nodes"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '22'
        source_ips: "{{ k8s_worker_node_ips }}"
        destination_ips: []
        description: "Allow access to SSH from kubernetes worker nodes"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service'

hcloud_firewall_objects_vpn:
   -
     name: "{{ stage }}-vpn-access"
     state: present
     rules:
     -
        direction: in
        protocol: udp
        port: "{{ service_port_wireguard }}"
        source_ips: 
          - "0.0.0.0/0"
        destination_ips: []
        description: "Allow access to VPN"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=vpn'

hcloud_firewall_objects_backup:
   -
     name: "{{ stage }}-backup-ssh-access"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '22'
        source_ips:
          - "{{ offsite_storage_server_ip }}"
        destination_ips: []
        description: "Allow access to BACKUP from offsite"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=backup'

hcloud_firewall_objects_gitea:
   -
     name: "{{ stage }}-access-to-gitea"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ ip_whitelist }}"
        destination_ips: []
        description: "Allow access to GITEA for whitelisted ips"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}"
        destination_ips: []
        description: "Allow access to GITEA for kubernetes worker nodes"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ [shared_service_network] + (gitea_https_whitelisted_ips | default([])) }}"
        destination_ips: []
        description: "Allow access to GITEA for custom whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=gitea'

hcloud_firewall_objects_keycloak:
   -
     name: "{{ stage }}-access-to-keycloak"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ ip_whitelist }}"
        destination_ips: []
        description: "Allow access to KEYCLOAK for custom whitelisted ips"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}"
        destination_ips: []
        description: "Allow access to KEYCLOAK for kubernetes worker nodes"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ [shared_service_network] + (keycloak_https_whitelisted_ips | default([])) }}"
        destination_ips: []
        description: "Allow access to KEYCLOAK for custom whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=keycloak'

hcloud_firewall_objects_kibana:
   -
     name: "{{ stage }}-access-to-kibana"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ ip_whitelist }}"
        destination_ips: []
        description: "Allow access to KIBANA for whitelisted ips"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}"
        destination_ips: []
        description: "Allow access to KIBANA for kubernetes worker nodes"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ [shared_service_network] + (kibana_https_whitelisted_ips | default([])) }}"
        destination_ips: []
        description: "Allow access to KIBANA for custom whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=kibana'

hcloud_firewall_objects_management:
   -
     name: "{{ stage }}-access-to-management"
     state: present
     rules:
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ ip_whitelist }}"
        destination_ips: []
        description: "Allow access to MANAGEMENT for whitelisted ips"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}"
        destination_ips: []
        description: "Allow access to MANAGEMENT for kubernetes worker nodes"
     -
        direction: in
        protocol: tcp
        port: '443'
        source_ips: "{{ [shared_service_network] + (management_https_whitelisted_ips | default([])) }}"
        destination_ips: []
        description: "Allow access to MANAGEMENT for custom whitelisted ips"
     apply_to:
     -
       type: label_selector
       label_selector:
         selector: 'stage={{ stage }},service=connect,tenant=management'