chore(prod): capture production bootstrap access configuration

Document and commit the production bootstrap state after the initial Hetzner and Ansible rollout. - switch Ansible prod runbooks to use the shared vault password file - record production admin CIDRs, SSH key path, encrypted group vault, and encrypted per-host vault files - add generated production inventory and the prod setup history notes from the first bootstrap - keep root password login disabled while preserving key-based root access for Ansible bootstrap continuity - document separate Hetzner projects and tokens for test/prod and commit the prod provider lock file - remove the private Redis firewall allowance from the prod Terraform firewall and matching setup docs
2026-05-19 17:49:59 +03:00 · 2026-05-19 17:49:59 +03:00 · 9e20f2fcf8
commit 9e20f2fcf8
parent 17be81a66e
18 changed files with 304 additions and 30 deletions
--- a/ansible/README.md
+++ b/ansible/README.md
@ -323,27 +323,27 @@ Ana playbook: `prod-bootstrap.yml`
 # 1. Temel sunucu hazırlıkları (tüm node'lar)
 ansible-playbook prod-bootstrap.yml \
  --tags base,hardening,docker,node_dirs,storagebox,storagebox_ssh_key \
-  --ask-vault-pass
+  --vault-password-file=../.vault_pass

 # 2. Swarm kurulumu (app node'lar önce, ardından db node'lar)
 ansible-playbook prod-bootstrap.yml \
  --tags swarm \
-  --ask-vault-pass
+  --vault-password-file=../.vault_pass

 # 3. DB node label'ları (Patroni koordinasyonu için)
 ansible-playbook prod-bootstrap.yml \
  --tags db_labels \
-  --ask-vault-pass
+  --vault-password-file=../.vault_pass

 # 4. DB node konfigürasyonu (StorageBox dizin ve config dosyaları)
 ansible-playbook prod-bootstrap.yml \
  --tags db_stack \
-  --ask-vault-pass
+  --vault-password-file=../.vault_pass

 # 5. App node runner kurulumu
 ansible-playbook prod-bootstrap.yml \
  --tags act_runner \
-  --ask-vault-pass
+  --vault-password-file=../.vault_pass
 ```

 ### Prod Act Runner
--- a/ansible/prod/group_vars/all/vars.yml
+++ b/ansible/prod/group_vars/all/vars.yml
@ -19,6 +19,6 @@ iklim_password: "{{ vault_iklim_password }}"
 act_runner_labels: "prod-runner,ubuntu-24.04,{{ inventory_hostname }}"
 swarm_manager_ip: "10.20.10.11"
 mongodb_replset_name: "rs0"
-admin_allowed_cidrs: "127.0.0.1/8"
-admin_ssh_public_key_path: "~/.ssh/id_ed25519.pub"
+admin_allowed_cidrs: "78.187.87.109/32 95.70.151.248/32"
+admin_ssh_public_key_path: "~/.ssh/id_rsa.pub"
 timezone: "Europe/Istanbul"
--- a/ansible/prod/group_vars/all/vault.yml
+++ b/ansible/prod/group_vars/all/vault.yml
@ -1,7 +1,18 @@
-# Bu dosya ansible-vault ile şifrelenmelidir:
-#   ansible-vault encrypt group_vars/all/vault.yml
-#
-# Gerçek değerleri girdikten sonra şifreleyin.
-vault_storagebox_password: "CHANGE_ME"
-vault_iklim_password: "CHANGE_ME"
-vault_gitea_runner_token: "CHANGE_ME"
+$ANSIBLE_VAULT;1.1;AES256
+65346532343639643339393034653934623131356161666233303537643731346264313262613362
+3034643838306533303631356537613438316430373733310a643766326231353065643263643039
+31663634346663623137396237313663313332663666363437373935656235353530393735383434
+3730343864333365390a313030386439653438386337666162623264333832363766306161323230
+66613534326166323365656133376535623738633738353361363430336139643261326638393265
+34376261613566343139346639363731353331333563333263396530376537646261336137636562
+61633234646132313337343064353537623232613734636131316536333432393236363633366539
+62633138346463316433613433343265313831643562366661313934306534663930333539363136
+65386538346262306637626261323066366364346364316232663865356165383335626536353764
+64346431313231643963383633326266313135653436363634623939373739326665663865366439
+38636364363631303632363566323239336438303337323934353365653531383833363239323865
+64656635626265313761636239356135326237383931623534633361373632613234313265613730
+37396436656162656466386136316338316537343730623364353239346336313931663864623363
+66663432363332393134386130643530653163343563353336666135313065383762666131633239
+64353935376439313334326238373336653233386135333831383831643737356231313435323765
+30353130333530356334653864376635636634653262333936396234653264323830333935616532
+38393335306362323031643563643636393464636635633435373334393563656531
--- a/ansible/prod/host_vars/iklim-app-01/vault.yml
+++ b/ansible/prod/host_vars/iklim-app-01/vault.yml
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+63323930326135303866313564613466653934323030376361623034393939633866336430376533
+6462363534393332383738333239656539623531363131300a313938623030363363643964393464
+34306537623534633464343138333637643834346433323036643963383438336138623933303765
+3337313864633233320a626630646434323564363133303639356336633364633361333731353665
+30313761323232343431636361316134343966636631336464353437656331343032643763333931
+61373264653465373539383961333963383962326561336563326133613363636336366339316461
+32386234383935313663306638613439323034386162646330333232303233393866323963313733
+34356637326130666431333131396365333166666530643736303532303165346435306261386238
+66376638353961326537306337363661366339346530346132666639306436313931
--- a/ansible/prod/host_vars/iklim-app-02/vault.yml
+++ b/ansible/prod/host_vars/iklim-app-02/vault.yml
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+33343166373333306130643431346235663338353864613434383735616433633965323138653430
+6533303238613038656233653533636134643431643264390a386663306439303563313133393037
+30363065323637653565343364396131383965633333633039653734666339636161373531386537
+3732383139366330350a653938323231323066336639643035373662643336616235636334383264
+66316531643566376130656434663732396233353839306364353861653461353537316236656563
+64376362303738623636313934326239396135636564313434336562333033313661663231616636
+35373462313039313062323861343732643933366332303231366139643938643461396537663232
+36343739383536383566616136353831313836666534333564653366323563343839376137343135
+66393132376665346532346466363232616530373138376663633666366465343562
--- a/ansible/prod/host_vars/iklim-app-03/vault.yml
+++ b/ansible/prod/host_vars/iklim-app-03/vault.yml
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+39626463653031613934666436643634613565633662653239623463663762633866346533643735
+3136656338316232613833666562356666333336663936370a373432636135396332666662656363
+64333265663465636639646234313666656335656530613935363461356338323534623434646561
+3034393565356664300a326530393266393536336230343539626232363034373636393330313964
+64346136623433663232323561353532653830373935343134646633303836663839663261656231
+37643830323836333531336565396639376265323636616638646565336531393837313430623463
+37323934623962643462303934616139376339343766356230336464663132333363643634333062
+63643936363235656335613737653033353965666561303663313239386437303561663962653363
+34396133613133376262313038373336626465346262646265323732363764356662
--- a/ansible/prod/host_vars/iklim-db-01/vault.yml
+++ b/ansible/prod/host_vars/iklim-db-01/vault.yml
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+65663364653331336437306263396364393762303663643136386635323932623035653362653433
+3362356535343639616331363365363131356435653634640a323932393434653066343038653037
+34336538353436643136353766333865616463393961663236303164363331336461323636623934
+3432393632643831640a356537633966383839653536346666663736353766346538396136363436
+30643631366634653961623334363432336164636531353438346133386463663861623763613031
+30386131316664643135646333323532326634373466356138613831633565336638376662323061
+65636162643761623638663831376466356637306236393663383237323836366536353365383831
+62343734633036376438366563616633666337323633616139373935333563386238316537353335
+64653061356162656431303335313833356135363430623065656536386436313438
--- a/ansible/prod/host_vars/iklim-db-02/vault.yml
+++ b/ansible/prod/host_vars/iklim-db-02/vault.yml
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+34636563333137303834326537653261653665653432353536373361633631383665623730323838
+6335626530306664386664363933313430366633306639650a336532643964366338383962633663
+62356431663737323734356532376437303837363936346662393664626162643063343761306361
+6433643837326665610a623939393065373165653330643930393130343830336230626333646137
+33666530343663306262306565323039653831623138366361353861653132616138653238366438
+65396335666161666431353639373838343464326631303939616633316538613633373762303935
+36393939393664663863616539373565326563393366343135306264643433353731663933313838
+37366334333530343732343639383362643464303266653566316439663834393731363337393137
+37626239643761666537613233613939353161373366346635656436613432616530
--- a/ansible/prod/host_vars/iklim-db-03/vault.yml
+++ b/ansible/prod/host_vars/iklim-db-03/vault.yml
@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+38353632326532653638643432336139353565633734653664333531613539316338623764653166
+6565353931643661633462346366376464636262383536640a613535613266653161313936643735
+63316334383663383430353235373434636632613664653730663631643362303635316236383166
+6637633631636232640a336135323636383131303831656362306663396134653132363964353266
+37383137353430326233383562623361663463356238643334323965396430323337653133323063
+37313133623934663537333532636164386263346166623330333164303031373063346164363466
+64373438356430373465666331623930313534633238373330303266313165623364393837643138
+37636138623337393230343363353765343664373230636231633031636363313761346234363865
+38663832646236333263303034656539363339616635353961376439373766663136
--- a/ansible/prod/inventory/generated/prod.yml
+++ b/ansible/prod/inventory/generated/prod.yml
@ -0,0 +1,31 @@
+"all":
+  "children":
+    "app":
+      "hosts":
+        "iklim-app-01":
+          "ansible_host": "178.104.210.41"
+          "ansible_user": "root"
+          "hetzner_floating_ip": "78.47.220.82"
+          "private_ip": "10.20.10.11"
+        "iklim-app-02":
+          "ansible_host": "178.105.69.1"
+          "ansible_user": "root"
+          "private_ip": "10.20.10.12"
+        "iklim-app-03":
+          "ansible_host": "178.104.219.3"
+          "ansible_user": "root"
+          "private_ip": "10.20.10.13"
+    "db":
+      "hosts":
+        "iklim-db-01":
+          "ansible_host": "159.69.117.158"
+          "ansible_user": "root"
+          "private_ip": "10.20.20.11"
+        "iklim-db-02":
+          "ansible_host": "178.104.219.162"
+          "ansible_user": "root"
+          "private_ip": "10.20.20.12"
+        "iklim-db-03":
+          "ansible_host": "159.69.115.105"
+          "ansible_user": "root"
+          "private_ip": "10.20.20.13"
--- a/ansible/roles/hardening/tasks/main.yml
+++ b/ansible/roles/hardening/tasks/main.yml
@ -16,7 +16,7 @@
    state: present
  loop:
    - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" }
-    - { regexp: "^PermitRootLogin", line: "PermitRootLogin no" }
+    - { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" }
    - { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" }
    - { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" }
  notify: Restart sshd
--- a/facts/prod-kurulum-gecmisi.md
+++ b/facts/prod-kurulum-gecmisi.md
@ -0,0 +1,138 @@
+# Prod Ortamı Kurulum Geçmişi
+
+İlk prod kurulumunda yaşanan sorunlar, uygulanan düzeltmeler ve mevcut durum.
+
+## Terraform
+
+### Ayrı Hetzner Projesi Zorunluluğu
+
+Test ve prod ayrı Hetzner Cloud projelerinde çalışır. Her proje için ayrı API token alınmalıdır.
+
+Aynı token kullanılırsa `terraform apply` sırasında SSH key çakışması hatası alınır:
+
+```
+SSH key not unique (uniqueness_error, <fingerprint>)
+```
+
+Hetzner Cloud, aynı public key'i bir projede yalnızca bir kez kabul eder. Test projesinde oluşturulmuş key, prod projesine ait olmayan bir token ile kullanılamaz.
+
+**Düzeltme:** `terraform/hetzner/prod/terraform.tfvars` içindeki `hcloud_token` değeri `iklim_prod` projesinin token'ı olmalıdır.
+
+### State Kaybı Sonrası SSH Key Import
+
+Terraform state'i olmadan `terraform apply` çalıştırılırsa, Hetzner'da zaten var olan SSH key yeniden oluşturulmaya çalışılır ve yukarıdaki hata alınır. Bu durumda key Hetzner Console → Security → SSH Keys üzerinden ID'si bulunarak import edilir:
+
+```bash
+terraform import hcloud_ssh_key.admin <ID>
+```
+
+### prevent_destroy
+
+Prod sunucuları `lifecycle { prevent_destroy = true }` ile korunur. `terraform destroy` çalıştırmak gerekirse bu değer geçici olarak `false` yapılır, işlem bittikten sonra tekrar `true`'ya alınır.
+
+### Inventory Üretimi
+
+```bash
+cd Environment_Infrastructure/terraform/hetzner/prod
+mkdir -p ../../../ansible/prod/inventory/generated
+terraform output -raw ansible_inventory_yaml > ../../../ansible/prod/inventory/generated/prod.yml
+```
+
+## Ansible
+
+### admin_allowed_cidrs
+
+`group_vars/all/vars.yml` içindeki `admin_allowed_cidrs` değeri başlangıçta `127.0.0.1/8` olarak tanımlanmıştı. Bu değer hardening rolü tarafından firewalld'a uygulanır ve SSH erişimini tamamen kapatır.
+
+Doğru değer: tüm admin IP'lerini boşlukla ayrılmış string olarak içermelidir.
+
+```yaml
+admin_allowed_cidrs: "78.187.87.109/32 95.70.151.248/32"
+```
+
+Terraform `terraform.tfvars` içindeki `admin_allowed_cidrs` ile birebir uyumlu olmalıdır.
+
+### admin_ssh_public_key_path
+
+`group_vars/all/vars.yml` içinde başlangıçta `~/.ssh/id_ed25519.pub` yazıyordu; bu makinede bu dosya yoktu. Doğru değer:
+
+```yaml
+admin_ssh_public_key_path: "~/.ssh/id_rsa.pub"
+```
+
+### PermitRootLogin
+
+Hardening rolü başlangıçta `PermitRootLogin no` uyguluyordu. Bu ayar sshd handler'ı ilk play'in sonunda tetiklediğinden, aynı Ansible çalışmasının devamındaki play'ler (swarm, db_labels, db_stack, act_runner) root ile bağlanamıyordu.
+
+**Düzeltme:** `PermitRootLogin prohibit-password` olarak değiştirildi. Key tabanlı root girişi açık kalır; parola ile root girişi engellenir. Ansible tüm bootstrap boyunca root ile bağlanmaya devam edebilir.
+
+### vault_iklim_password — Per-Host Şifre
+
+`vault_iklim_password` başlangıçta `group_vars/all/vault.yml` içinde tek bir değer olarak tanımlıydı; tüm sunuculara aynı şifre uygulanıyordu.
+
+Her sunucuya farklı şifre vermek için `host_vars/<hostname>/vault.yml` yapısına geçildi:
+
+```text
+prod/
+  group_vars/all/vault.yml        ← vault_iklim_password KALDIRILDI
+  host_vars/
+    iklim-app-01/vault.yml        ← vault_iklim_password: "<şifre>"
+    iklim-app-02/vault.yml
+    iklim-app-03/vault.yml
+    iklim-db-01/vault.yml
+    iklim-db-02/vault.yml
+    iklim-db-03/vault.yml
+```
+
+Her dosya ayrı ayrı şifrelenir: `ansible-vault encrypt host_vars/<hostname>/vault.yml`
+
+### StorageBox Mount
+
+StorageBox WebDAV mount (`/mnt/storagebox`) davfs2 ile yapılır. Aynı anda 6 sunucunun mount denemesi zaman zaman sorun çıkarabilir; Ansible idempotent çalıştığından tekrar çalıştırmak yeterlidir.
+
+### Bootstrap Çalıştırma Sırası
+
+```bash
+cd Environment_Infrastructure/ansible/prod
+
+# 1. Tüm node'lar
+ansible-playbook prod-bootstrap.yml \
+  --tags base,hardening,docker,node_dirs,storagebox,storagebox_ssh_key \
+  --ask-vault-pass
+
+# 2. Swarm kurulumu
+ansible-playbook prod-bootstrap.yml \
+  --tags swarm \
+  --ask-vault-pass
+
+# 3. DB node label'ları
+ansible-playbook prod-bootstrap.yml \
+  --tags db_labels \
+  --ask-vault-pass
+
+# 4. DB node konfigürasyonu
+ansible-playbook prod-bootstrap.yml \
+  --tags db_stack \
+  --ask-vault-pass
+
+# 5. Act runner kurulumu
+ansible-playbook prod-bootstrap.yml \
+  --tags act_runner \
+  --ask-vault-pass
+```
+
+## Mevcut Durum (2026-05-19)
+
+| Adım | Durum |
+| --- | --- |
+| Terraform — 6 sunucu, ağ, firewall, floating IP | ✅ |
+| Ansible base + hardening + docker + node_dirs | ✅ |
+| Ansible storagebox + storagebox_ssh_key | ✅ |
+| Ansible swarm (3 manager app + 3 worker db) | ✅ |
+| Ansible db_labels (Patroni koordinasyonu için) | ✅ |
+| Ansible db_stack (StorageBox DB dizinleri) | ✅ |
+| Ansible act_runner (3 prod runner Gitea'da Idle) | ✅ |
+| DB stack deploy (docker-stack-db.prod.yml) | ⏳ bekliyor |
+| MongoDB replica set init | ⏳ bekliyor |
+| Ana infra stack deploy (docker-stack-infra.prod.yml) | ⏳ bekliyor |
+| Deploy pipeline ilk çalışma | ⏳ bekliyor |
--- a/setup/03-test-ansible-bootstrap.md
+++ b/setup/03-test-ansible-bootstrap.md
@ -169,7 +169,7 @@ Applied to all test nodes:
 Applied to all test nodes:

 - SSH password login is disabled.
- Root SSH login is disabled.
+- Root SSH login via password is disabled (`PermitRootLogin prohibit-password`); key-based root login remains active so Ansible can connect throughout the bootstrap.
 - Only SSH key login remains.
 - `PermitEmptyPasswords no`
 - `MaxAuthTries 3`
--- a/setup/06-prod-terraform-iaac.md
+++ b/setup/06-prod-terraform-iaac.md
@ -69,7 +69,7 @@ location                  = "fsn1"
 image                     = "rocky-10"
 server_type_app           = "cpx42"
 server_type_db            = "cpx32"
-admin_ssh_public_key_path = "~/.ssh/id_ed25519.pub"
+admin_ssh_public_key_path = "~/.ssh/id_rsa.pub"
 admin_allowed_cidrs       = ["X.X.X.X/32"]
 ```

@ -137,7 +137,6 @@ The following ports will not be opened publicly in prod:
 - `8200/tcp` Vault
 - `5432/tcp` PostgreSQL
 - `27017/tcp` MongoDB
- `6379/tcp` Redis
 - `5672/tcp`, `15672/tcp`, `61613/tcp`, `15674/tcp` RabbitMQ
 - `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` Docker Swarm
 - `9180/tcp` APISIX Admin API
@ -156,7 +155,6 @@ Source from app subnet (`10.20.10.0/24`):
 | `7946/tcp,udp` | Docker Swarm node discovery | From app subnet |
 | `4789/udp` | Docker Swarm VXLAN overlay | From app subnet |
 | `8200/tcp` | Vault | Docker overlay / private network |
-| `6379/tcp` | Redis | From app subnet |
 | `5672/tcp` | RabbitMQ AMQP | From app subnet |
 | `61613/tcp` | RabbitMQ STOMP | From app subnet |
 | `15674/tcp` | RabbitMQ Web STOMP | From app subnet |
--- a/setup/07-prod-ansible-bootstrap.md
+++ b/setup/07-prod-ansible-bootstrap.md
@ -165,7 +165,7 @@ Applied to all prod nodes:
 Applied to all prod nodes:

 - SSH password auth is disabled.
- Root SSH login is disabled.
+- Root SSH login via password is disabled (`PermitRootLogin prohibit-password`); key-based root login remains active so Ansible can connect throughout the bootstrap.
 - Only SSH key auth remains.
 - `PermitEmptyPasswords no`
 - `MaxAuthTries 3`
--- a/terraform/hetzner/README.md
+++ b/terraform/hetzner/README.md
@ -29,26 +29,47 @@ Her ortam kendi bağımsız Terraform state dosyasına sahiptir; birbirini etkil
 ## Ön Koşullar

 - Terraform >= 1.5 kurulu olmalı.
- Hetzner Cloud ortama özel proje API token'ı hazır olmalı (test ve prod ayrı proje).
+- Her ortam için **ayrı** Hetzner Cloud projesi ve API token'ı hazır olmalı (aşağıya bak).
 - `terraform.tfvars` dosyası oluşturulmuş olmalı (bkz. `terraform.tfvars.example`).

+## ⚠️ Her Ortam İçin Ayrı Hetzner Projesi Gereklidir
+
+Test ve prod **farklı Hetzner Cloud projeleri** altında çalışır; her projenin kendi API token'ı olmalıdır.
+
+**Neden ayrı proje?**
+
+- Hetzner Cloud, aynı SSH public key'i bir projede yalnızca bir kez kabul eder. Test ortamının token'ı prod için kullanılırsa `terraform apply` SSH key çakışmasıyla (`uniqueness_error`) hata verir.
+- Kaynak izolasyonu: test destroy işlemi prod kaynaklarını etkilemez.
+- Maliyet ve kota takibi ortam bazında yapılabilir.
+
+**Token nasıl alınır:**
+
+1. [Hetzner Cloud Console](https://console.hetzner.cloud) → ilgili projeyi seç (ör. `iklim_prod`).
+2. **Security → API Tokens → Generate API Token** — Read & Write izni ver.
+3. Token yalnızca bir kez gösterilir; hemen kopyala.
+4. `terraform.tfvars` içindeki `hcloud_token` değerine yapıştır.
+
+> Test `terraform.tfvars` içindeki token prod dizinine **kopyalanmamalıdır.** Her ortamın kendi dizininde kendi token'ı olmalıdır.
+
 ## terraform.tfvars Kurulumu

 ```bash
 # Test için:
 cd terraform/hetzner/test
 cp terraform.tfvars.example terraform.tfvars
+# hcloud_token = iklim_test projesi token'ı

 # Prod için:
 cd terraform/hetzner/prod
 cp terraform.tfvars.example terraform.tfvars
+# hcloud_token = iklim_prod projesi token'ı
 ```

 `terraform.tfvars` içindeki değişkenler:

 | Değişken | Açıklama |
 | --- | --- |
-| `hcloud_token` | Hetzner Cloud ortama özel proje API token'ı |
+| `hcloud_token` | **Ortama özel** Hetzner Cloud API token'ı — test ve prod token'ları birbirinden farklıdır |
 | `location` | Sunucu lokasyonu (örn. `fsn1`) |
 | `image` | Sunucu işletim sistemi (örn. `rocky-10`) |
 | `server_type_app` | App sunucu tipi |
--- a/terraform/hetzner/prod/.terraform.lock.hcl
+++ b/terraform/hetzner/prod/.terraform.lock.hcl
@ -0,0 +1,23 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hetznercloud/hcloud" {
+  version     = "1.63.0"
+  constraints = "~> 1.49"
+  hashes = [
+    "h1:1Yxj4ZifWjSYntT/IK08jX71yeO6cwLBJ2r1YdrOP+0=",
+    "zh:0510f27825d28b065615c6e715a4aae38a50633195a8a88d4507476bb6484c33",
+    "zh:0fba95c8fc048155c2211f15f850b75fe33cac96201bcaaa28467b32f6ac568e",
+    "zh:11d917ac92ca30fe82d362465a1685b3a9f9a3abcd486b0114ff680746d0af08",
+    "zh:3fccfeb0c12041223edfe8f4e6d53c285c050dad5611e57e3e27a3233ab41459",
+    "zh:4cd4b626f2ce0f2cc49a1eaf62e1a8b4a0868cd902f3181019215cabfd841aae",
+    "zh:57baa59c7e80fa5612347a7208aa8e2b1fd88563e91b6a68fe154f507d75d210",
+    "zh:695cf459e16fabfa25348cf00299ff57b100992c2e56e27ebebb91923acdd7f3",
+    "zh:6a68c3280930f06158b4b6cbbc4b6329a3b28de42bd5ca284e8b4f1a141f5899",
+    "zh:9b860ac44e673a3901f782730929c99c229437d9020214cd786952f8de94a10d",
+    "zh:b8704c7d7f76b1bf8ef7fd722e174d1cd5a0c9901c4fdee1145623583f83629a",
+    "zh:e3f1e222886b4f48ab102f6e898fd69a0a084fb5e0e3b5de4245b842ed96b459",
+    "zh:f3b9fc88a0ffed753e5c17589177aa3ab524909f568506b04c348f93ca3c4e5c",
+    "zh:f9c3fb21c9f64e82841811e7ef51e3a102c1af801153a670bffd005d89476f0e",
+  ]
+}
--- a/terraform/hetzner/prod/firewall.tf
+++ b/terraform/hetzner/prod/firewall.tf
@ -97,14 +97,6 @@ resource "hcloud_firewall" "app" {
    description = "Vault API — private only, never public"
  }

-  rule {
-    direction   = "in"
-    protocol    = "tcp"
-    port        = "6379"
-    source_ips  = [local.app_subnet_cidr]
-    description = "Redis"
-  }
-
  rule {
    direction   = "in"
    protocol    = "tcp"