diff --git a/ansible/README.md b/ansible/README.md index bb70f4c..0383207 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -323,27 +323,27 @@ Ana playbook: `prod-bootstrap.yml` # 1. Temel sunucu hazırlıkları (tüm node'lar) ansible-playbook prod-bootstrap.yml \ --tags base,hardening,docker,node_dirs,storagebox,storagebox_ssh_key \ - --ask-vault-pass + --vault-password-file=../.vault_pass # 2. Swarm kurulumu (app node'lar önce, ardından db node'lar) ansible-playbook prod-bootstrap.yml \ --tags swarm \ - --ask-vault-pass + --vault-password-file=../.vault_pass # 3. DB node label'ları (Patroni koordinasyonu için) ansible-playbook prod-bootstrap.yml \ --tags db_labels \ - --ask-vault-pass + --vault-password-file=../.vault_pass # 4. DB node konfigürasyonu (StorageBox dizin ve config dosyaları) ansible-playbook prod-bootstrap.yml \ --tags db_stack \ - --ask-vault-pass + --vault-password-file=../.vault_pass # 5. App node runner kurulumu ansible-playbook prod-bootstrap.yml \ --tags act_runner \ - --ask-vault-pass + --vault-password-file=../.vault_pass ``` ### Prod Act Runner diff --git a/ansible/prod/group_vars/all/vars.yml b/ansible/prod/group_vars/all/vars.yml index 5df4459..07b0f19 100644 --- a/ansible/prod/group_vars/all/vars.yml +++ b/ansible/prod/group_vars/all/vars.yml @@ -19,6 +19,6 @@ iklim_password: "{{ vault_iklim_password }}" act_runner_labels: "prod-runner,ubuntu-24.04,{{ inventory_hostname }}" swarm_manager_ip: "10.20.10.11" mongodb_replset_name: "rs0" -admin_allowed_cidrs: "127.0.0.1/8" -admin_ssh_public_key_path: "~/.ssh/id_ed25519.pub" +admin_allowed_cidrs: "78.187.87.109/32 95.70.151.248/32" +admin_ssh_public_key_path: "~/.ssh/id_rsa.pub" timezone: "Europe/Istanbul" diff --git a/ansible/prod/group_vars/all/vault.yml b/ansible/prod/group_vars/all/vault.yml index 205e2f2..cb2560f 100644 --- a/ansible/prod/group_vars/all/vault.yml +++ b/ansible/prod/group_vars/all/vault.yml @@ -1,7 +1,18 @@ -# Bu dosya ansible-vault ile şifrelenmelidir: -# ansible-vault encrypt group_vars/all/vault.yml -# -# Gerçek değerleri girdikten sonra şifreleyin. -vault_storagebox_password: "CHANGE_ME" -vault_iklim_password: "CHANGE_ME" -vault_gitea_runner_token: "CHANGE_ME" +$ANSIBLE_VAULT;1.1;AES256 +65346532343639643339393034653934623131356161666233303537643731346264313262613362 +3034643838306533303631356537613438316430373733310a643766326231353065643263643039 +31663634346663623137396237313663313332663666363437373935656235353530393735383434 +3730343864333365390a313030386439653438386337666162623264333832363766306161323230 +66613534326166323365656133376535623738633738353361363430336139643261326638393265 +34376261613566343139346639363731353331333563333263396530376537646261336137636562 +61633234646132313337343064353537623232613734636131316536333432393236363633366539 +62633138346463316433613433343265313831643562366661313934306534663930333539363136 +65386538346262306637626261323066366364346364316232663865356165383335626536353764 +64346431313231643963383633326266313135653436363634623939373739326665663865366439 +38636364363631303632363566323239336438303337323934353365653531383833363239323865 +64656635626265313761636239356135326237383931623534633361373632613234313265613730 +37396436656162656466386136316338316537343730623364353239346336313931663864623363 +66663432363332393134386130643530653163343563353336666135313065383762666131633239 +64353935376439313334326238373336653233386135333831383831643737356231313435323765 +30353130333530356334653864376635636634653262333936396234653264323830333935616532 +38393335306362323031643563643636393464636635633435373334393563656531 diff --git a/ansible/prod/host_vars/iklim-app-01/vault.yml b/ansible/prod/host_vars/iklim-app-01/vault.yml new file mode 100644 index 0000000..7ca6c2c --- /dev/null +++ b/ansible/prod/host_vars/iklim-app-01/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +63323930326135303866313564613466653934323030376361623034393939633866336430376533 +6462363534393332383738333239656539623531363131300a313938623030363363643964393464 +34306537623534633464343138333637643834346433323036643963383438336138623933303765 +3337313864633233320a626630646434323564363133303639356336633364633361333731353665 +30313761323232343431636361316134343966636631336464353437656331343032643763333931 +61373264653465373539383961333963383962326561336563326133613363636336366339316461 +32386234383935313663306638613439323034386162646330333232303233393866323963313733 +34356637326130666431333131396365333166666530643736303532303165346435306261386238 +66376638353961326537306337363661366339346530346132666639306436313931 diff --git a/ansible/prod/host_vars/iklim-app-02/vault.yml b/ansible/prod/host_vars/iklim-app-02/vault.yml new file mode 100644 index 0000000..05f8fb8 --- /dev/null +++ b/ansible/prod/host_vars/iklim-app-02/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +33343166373333306130643431346235663338353864613434383735616433633965323138653430 +6533303238613038656233653533636134643431643264390a386663306439303563313133393037 +30363065323637653565343364396131383965633333633039653734666339636161373531386537 +3732383139366330350a653938323231323066336639643035373662643336616235636334383264 +66316531643566376130656434663732396233353839306364353861653461353537316236656563 +64376362303738623636313934326239396135636564313434336562333033313661663231616636 +35373462313039313062323861343732643933366332303231366139643938643461396537663232 +36343739383536383566616136353831313836666534333564653366323563343839376137343135 +66393132376665346532346466363232616530373138376663633666366465343562 diff --git a/ansible/prod/host_vars/iklim-app-03/vault.yml b/ansible/prod/host_vars/iklim-app-03/vault.yml new file mode 100644 index 0000000..1d75a8f --- /dev/null +++ b/ansible/prod/host_vars/iklim-app-03/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +39626463653031613934666436643634613565633662653239623463663762633866346533643735 +3136656338316232613833666562356666333336663936370a373432636135396332666662656363 +64333265663465636639646234313666656335656530613935363461356338323534623434646561 +3034393565356664300a326530393266393536336230343539626232363034373636393330313964 +64346136623433663232323561353532653830373935343134646633303836663839663261656231 +37643830323836333531336565396639376265323636616638646565336531393837313430623463 +37323934623962643462303934616139376339343766356230336464663132333363643634333062 +63643936363235656335613737653033353965666561303663313239386437303561663962653363 +34396133613133376262313038373336626465346262646265323732363764356662 diff --git a/ansible/prod/host_vars/iklim-db-01/vault.yml b/ansible/prod/host_vars/iklim-db-01/vault.yml new file mode 100644 index 0000000..502723d --- /dev/null +++ b/ansible/prod/host_vars/iklim-db-01/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +65663364653331336437306263396364393762303663643136386635323932623035653362653433 +3362356535343639616331363365363131356435653634640a323932393434653066343038653037 +34336538353436643136353766333865616463393961663236303164363331336461323636623934 +3432393632643831640a356537633966383839653536346666663736353766346538396136363436 +30643631366634653961623334363432336164636531353438346133386463663861623763613031 +30386131316664643135646333323532326634373466356138613831633565336638376662323061 +65636162643761623638663831376466356637306236393663383237323836366536353365383831 +62343734633036376438366563616633666337323633616139373935333563386238316537353335 +64653061356162656431303335313833356135363430623065656536386436313438 diff --git a/ansible/prod/host_vars/iklim-db-02/vault.yml b/ansible/prod/host_vars/iklim-db-02/vault.yml new file mode 100644 index 0000000..6e0345f --- /dev/null +++ b/ansible/prod/host_vars/iklim-db-02/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +34636563333137303834326537653261653665653432353536373361633631383665623730323838 +6335626530306664386664363933313430366633306639650a336532643964366338383962633663 +62356431663737323734356532376437303837363936346662393664626162643063343761306361 +6433643837326665610a623939393065373165653330643930393130343830336230626333646137 +33666530343663306262306565323039653831623138366361353861653132616138653238366438 +65396335666161666431353639373838343464326631303939616633316538613633373762303935 +36393939393664663863616539373565326563393366343135306264643433353731663933313838 +37366334333530343732343639383362643464303266653566316439663834393731363337393137 +37626239643761666537613233613939353161373366346635656436613432616530 diff --git a/ansible/prod/host_vars/iklim-db-03/vault.yml b/ansible/prod/host_vars/iklim-db-03/vault.yml new file mode 100644 index 0000000..7736876 --- /dev/null +++ b/ansible/prod/host_vars/iklim-db-03/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +38353632326532653638643432336139353565633734653664333531613539316338623764653166 +6565353931643661633462346366376464636262383536640a613535613266653161313936643735 +63316334383663383430353235373434636632613664653730663631643362303635316236383166 +6637633631636232640a336135323636383131303831656362306663396134653132363964353266 +37383137353430326233383562623361663463356238643334323965396430323337653133323063 +37313133623934663537333532636164386263346166623330333164303031373063346164363466 +64373438356430373465666331623930313534633238373330303266313165623364393837643138 +37636138623337393230343363353765343664373230636231633031636363313761346234363865 +38663832646236333263303034656539363339616635353961376439373766663136 diff --git a/ansible/prod/inventory/generated/prod.yml b/ansible/prod/inventory/generated/prod.yml new file mode 100644 index 0000000..386a4a8 --- /dev/null +++ b/ansible/prod/inventory/generated/prod.yml @@ -0,0 +1,31 @@ +"all": + "children": + "app": + "hosts": + "iklim-app-01": + "ansible_host": "178.104.210.41" + "ansible_user": "root" + "hetzner_floating_ip": "78.47.220.82" + "private_ip": "10.20.10.11" + "iklim-app-02": + "ansible_host": "178.105.69.1" + "ansible_user": "root" + "private_ip": "10.20.10.12" + "iklim-app-03": + "ansible_host": "178.104.219.3" + "ansible_user": "root" + "private_ip": "10.20.10.13" + "db": + "hosts": + "iklim-db-01": + "ansible_host": "159.69.117.158" + "ansible_user": "root" + "private_ip": "10.20.20.11" + "iklim-db-02": + "ansible_host": "178.104.219.162" + "ansible_user": "root" + "private_ip": "10.20.20.12" + "iklim-db-03": + "ansible_host": "159.69.115.105" + "ansible_user": "root" + "private_ip": "10.20.20.13" diff --git a/ansible/roles/hardening/tasks/main.yml b/ansible/roles/hardening/tasks/main.yml index b62fb87..33406ba 100644 --- a/ansible/roles/hardening/tasks/main.yml +++ b/ansible/roles/hardening/tasks/main.yml @@ -16,7 +16,7 @@ state: present loop: - { regexp: "^PasswordAuthentication", line: "PasswordAuthentication no" } - - { regexp: "^PermitRootLogin", line: "PermitRootLogin no" } + - { regexp: "^PermitRootLogin", line: "PermitRootLogin prohibit-password" } - { regexp: "^PermitEmptyPasswords", line: "PermitEmptyPasswords no" } - { regexp: "^MaxAuthTries", line: "MaxAuthTries 3" } notify: Restart sshd diff --git a/facts/prod-kurulum-gecmisi.md b/facts/prod-kurulum-gecmisi.md new file mode 100644 index 0000000..34e334e --- /dev/null +++ b/facts/prod-kurulum-gecmisi.md @@ -0,0 +1,138 @@ +# Prod Ortamı Kurulum Geçmişi + +İlk prod kurulumunda yaşanan sorunlar, uygulanan düzeltmeler ve mevcut durum. + +## Terraform + +### Ayrı Hetzner Projesi Zorunluluğu + +Test ve prod ayrı Hetzner Cloud projelerinde çalışır. Her proje için ayrı API token alınmalıdır. + +Aynı token kullanılırsa `terraform apply` sırasında SSH key çakışması hatası alınır: + +``` +SSH key not unique (uniqueness_error, ) +``` + +Hetzner Cloud, aynı public key'i bir projede yalnızca bir kez kabul eder. Test projesinde oluşturulmuş key, prod projesine ait olmayan bir token ile kullanılamaz. + +**Düzeltme:** `terraform/hetzner/prod/terraform.tfvars` içindeki `hcloud_token` değeri `iklim_prod` projesinin token'ı olmalıdır. + +### State Kaybı Sonrası SSH Key Import + +Terraform state'i olmadan `terraform apply` çalıştırılırsa, Hetzner'da zaten var olan SSH key yeniden oluşturulmaya çalışılır ve yukarıdaki hata alınır. Bu durumda key Hetzner Console → Security → SSH Keys üzerinden ID'si bulunarak import edilir: + +```bash +terraform import hcloud_ssh_key.admin +``` + +### prevent_destroy + +Prod sunucuları `lifecycle { prevent_destroy = true }` ile korunur. `terraform destroy` çalıştırmak gerekirse bu değer geçici olarak `false` yapılır, işlem bittikten sonra tekrar `true`'ya alınır. + +### Inventory Üretimi + +```bash +cd Environment_Infrastructure/terraform/hetzner/prod +mkdir -p ../../../ansible/prod/inventory/generated +terraform output -raw ansible_inventory_yaml > ../../../ansible/prod/inventory/generated/prod.yml +``` + +## Ansible + +### admin_allowed_cidrs + +`group_vars/all/vars.yml` içindeki `admin_allowed_cidrs` değeri başlangıçta `127.0.0.1/8` olarak tanımlanmıştı. Bu değer hardening rolü tarafından firewalld'a uygulanır ve SSH erişimini tamamen kapatır. + +Doğru değer: tüm admin IP'lerini boşlukla ayrılmış string olarak içermelidir. + +```yaml +admin_allowed_cidrs: "78.187.87.109/32 95.70.151.248/32" +``` + +Terraform `terraform.tfvars` içindeki `admin_allowed_cidrs` ile birebir uyumlu olmalıdır. + +### admin_ssh_public_key_path + +`group_vars/all/vars.yml` içinde başlangıçta `~/.ssh/id_ed25519.pub` yazıyordu; bu makinede bu dosya yoktu. Doğru değer: + +```yaml +admin_ssh_public_key_path: "~/.ssh/id_rsa.pub" +``` + +### PermitRootLogin + +Hardening rolü başlangıçta `PermitRootLogin no` uyguluyordu. Bu ayar sshd handler'ı ilk play'in sonunda tetiklediğinden, aynı Ansible çalışmasının devamındaki play'ler (swarm, db_labels, db_stack, act_runner) root ile bağlanamıyordu. + +**Düzeltme:** `PermitRootLogin prohibit-password` olarak değiştirildi. Key tabanlı root girişi açık kalır; parola ile root girişi engellenir. Ansible tüm bootstrap boyunca root ile bağlanmaya devam edebilir. + +### vault_iklim_password — Per-Host Şifre + +`vault_iklim_password` başlangıçta `group_vars/all/vault.yml` içinde tek bir değer olarak tanımlıydı; tüm sunuculara aynı şifre uygulanıyordu. + +Her sunucuya farklı şifre vermek için `host_vars//vault.yml` yapısına geçildi: + +```text +prod/ + group_vars/all/vault.yml ← vault_iklim_password KALDIRILDI + host_vars/ + iklim-app-01/vault.yml ← vault_iklim_password: "<şifre>" + iklim-app-02/vault.yml + iklim-app-03/vault.yml + iklim-db-01/vault.yml + iklim-db-02/vault.yml + iklim-db-03/vault.yml +``` + +Her dosya ayrı ayrı şifrelenir: `ansible-vault encrypt host_vars//vault.yml` + +### StorageBox Mount + +StorageBox WebDAV mount (`/mnt/storagebox`) davfs2 ile yapılır. Aynı anda 6 sunucunun mount denemesi zaman zaman sorun çıkarabilir; Ansible idempotent çalıştığından tekrar çalıştırmak yeterlidir. + +### Bootstrap Çalıştırma Sırası + +```bash +cd Environment_Infrastructure/ansible/prod + +# 1. Tüm node'lar +ansible-playbook prod-bootstrap.yml \ + --tags base,hardening,docker,node_dirs,storagebox,storagebox_ssh_key \ + --ask-vault-pass + +# 2. Swarm kurulumu +ansible-playbook prod-bootstrap.yml \ + --tags swarm \ + --ask-vault-pass + +# 3. DB node label'ları +ansible-playbook prod-bootstrap.yml \ + --tags db_labels \ + --ask-vault-pass + +# 4. DB node konfigürasyonu +ansible-playbook prod-bootstrap.yml \ + --tags db_stack \ + --ask-vault-pass + +# 5. Act runner kurulumu +ansible-playbook prod-bootstrap.yml \ + --tags act_runner \ + --ask-vault-pass +``` + +## Mevcut Durum (2026-05-19) + +| Adım | Durum | +| --- | --- | +| Terraform — 6 sunucu, ağ, firewall, floating IP | ✅ | +| Ansible base + hardening + docker + node_dirs | ✅ | +| Ansible storagebox + storagebox_ssh_key | ✅ | +| Ansible swarm (3 manager app + 3 worker db) | ✅ | +| Ansible db_labels (Patroni koordinasyonu için) | ✅ | +| Ansible db_stack (StorageBox DB dizinleri) | ✅ | +| Ansible act_runner (3 prod runner Gitea'da Idle) | ✅ | +| DB stack deploy (docker-stack-db.prod.yml) | ⏳ bekliyor | +| MongoDB replica set init | ⏳ bekliyor | +| Ana infra stack deploy (docker-stack-infra.prod.yml) | ⏳ bekliyor | +| Deploy pipeline ilk çalışma | ⏳ bekliyor | diff --git a/setup/03-test-ansible-bootstrap.md b/setup/03-test-ansible-bootstrap.md index a71f37b..6c110d8 100644 --- a/setup/03-test-ansible-bootstrap.md +++ b/setup/03-test-ansible-bootstrap.md @@ -169,7 +169,7 @@ Applied to all test nodes: Applied to all test nodes: - SSH password login is disabled. -- Root SSH login is disabled. +- Root SSH login via password is disabled (`PermitRootLogin prohibit-password`); key-based root login remains active so Ansible can connect throughout the bootstrap. - Only SSH key login remains. - `PermitEmptyPasswords no` - `MaxAuthTries 3` diff --git a/setup/06-prod-terraform-iaac.md b/setup/06-prod-terraform-iaac.md index 6f36364..90e7dee 100644 --- a/setup/06-prod-terraform-iaac.md +++ b/setup/06-prod-terraform-iaac.md @@ -69,7 +69,7 @@ location = "fsn1" image = "rocky-10" server_type_app = "cpx42" server_type_db = "cpx32" -admin_ssh_public_key_path = "~/.ssh/id_ed25519.pub" +admin_ssh_public_key_path = "~/.ssh/id_rsa.pub" admin_allowed_cidrs = ["X.X.X.X/32"] ``` @@ -137,7 +137,6 @@ The following ports will not be opened publicly in prod: - `8200/tcp` Vault - `5432/tcp` PostgreSQL - `27017/tcp` MongoDB -- `6379/tcp` Redis - `5672/tcp`, `15672/tcp`, `61613/tcp`, `15674/tcp` RabbitMQ - `2377/tcp`, `7946/tcp`, `7946/udp`, `4789/udp` Docker Swarm - `9180/tcp` APISIX Admin API @@ -156,7 +155,6 @@ Source from app subnet (`10.20.10.0/24`): | `7946/tcp,udp` | Docker Swarm node discovery | From app subnet | | `4789/udp` | Docker Swarm VXLAN overlay | From app subnet | | `8200/tcp` | Vault | Docker overlay / private network | -| `6379/tcp` | Redis | From app subnet | | `5672/tcp` | RabbitMQ AMQP | From app subnet | | `61613/tcp` | RabbitMQ STOMP | From app subnet | | `15674/tcp` | RabbitMQ Web STOMP | From app subnet | diff --git a/setup/07-prod-ansible-bootstrap.md b/setup/07-prod-ansible-bootstrap.md index f08699f..85e7bcf 100644 --- a/setup/07-prod-ansible-bootstrap.md +++ b/setup/07-prod-ansible-bootstrap.md @@ -165,7 +165,7 @@ Applied to all prod nodes: Applied to all prod nodes: - SSH password auth is disabled. -- Root SSH login is disabled. +- Root SSH login via password is disabled (`PermitRootLogin prohibit-password`); key-based root login remains active so Ansible can connect throughout the bootstrap. - Only SSH key auth remains. - `PermitEmptyPasswords no` - `MaxAuthTries 3` diff --git a/terraform/hetzner/README.md b/terraform/hetzner/README.md index 529fa8f..04109be 100644 --- a/terraform/hetzner/README.md +++ b/terraform/hetzner/README.md @@ -29,26 +29,47 @@ Her ortam kendi bağımsız Terraform state dosyasına sahiptir; birbirini etkil ## Ön Koşullar - Terraform >= 1.5 kurulu olmalı. -- Hetzner Cloud ortama özel proje API token'ı hazır olmalı (test ve prod ayrı proje). +- Her ortam için **ayrı** Hetzner Cloud projesi ve API token'ı hazır olmalı (aşağıya bak). - `terraform.tfvars` dosyası oluşturulmuş olmalı (bkz. `terraform.tfvars.example`). +## ⚠️ Her Ortam İçin Ayrı Hetzner Projesi Gereklidir + +Test ve prod **farklı Hetzner Cloud projeleri** altında çalışır; her projenin kendi API token'ı olmalıdır. + +**Neden ayrı proje?** + +- Hetzner Cloud, aynı SSH public key'i bir projede yalnızca bir kez kabul eder. Test ortamının token'ı prod için kullanılırsa `terraform apply` SSH key çakışmasıyla (`uniqueness_error`) hata verir. +- Kaynak izolasyonu: test destroy işlemi prod kaynaklarını etkilemez. +- Maliyet ve kota takibi ortam bazında yapılabilir. + +**Token nasıl alınır:** + +1. [Hetzner Cloud Console](https://console.hetzner.cloud) → ilgili projeyi seç (ör. `iklim_prod`). +2. **Security → API Tokens → Generate API Token** — Read & Write izni ver. +3. Token yalnızca bir kez gösterilir; hemen kopyala. +4. `terraform.tfvars` içindeki `hcloud_token` değerine yapıştır. + +> Test `terraform.tfvars` içindeki token prod dizinine **kopyalanmamalıdır.** Her ortamın kendi dizininde kendi token'ı olmalıdır. + ## terraform.tfvars Kurulumu ```bash # Test için: cd terraform/hetzner/test cp terraform.tfvars.example terraform.tfvars +# hcloud_token = iklim_test projesi token'ı # Prod için: cd terraform/hetzner/prod cp terraform.tfvars.example terraform.tfvars +# hcloud_token = iklim_prod projesi token'ı ``` `terraform.tfvars` içindeki değişkenler: | Değişken | Açıklama | | --- | --- | -| `hcloud_token` | Hetzner Cloud ortama özel proje API token'ı | +| `hcloud_token` | **Ortama özel** Hetzner Cloud API token'ı — test ve prod token'ları birbirinden farklıdır | | `location` | Sunucu lokasyonu (örn. `fsn1`) | | `image` | Sunucu işletim sistemi (örn. `rocky-10`) | | `server_type_app` | App sunucu tipi | diff --git a/terraform/hetzner/prod/.terraform.lock.hcl b/terraform/hetzner/prod/.terraform.lock.hcl new file mode 100644 index 0000000..7c9ecdd --- /dev/null +++ b/terraform/hetzner/prod/.terraform.lock.hcl @@ -0,0 +1,23 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hetznercloud/hcloud" { + version = "1.63.0" + constraints = "~> 1.49" + hashes = [ + "h1:1Yxj4ZifWjSYntT/IK08jX71yeO6cwLBJ2r1YdrOP+0=", + "zh:0510f27825d28b065615c6e715a4aae38a50633195a8a88d4507476bb6484c33", + "zh:0fba95c8fc048155c2211f15f850b75fe33cac96201bcaaa28467b32f6ac568e", + "zh:11d917ac92ca30fe82d362465a1685b3a9f9a3abcd486b0114ff680746d0af08", + "zh:3fccfeb0c12041223edfe8f4e6d53c285c050dad5611e57e3e27a3233ab41459", + "zh:4cd4b626f2ce0f2cc49a1eaf62e1a8b4a0868cd902f3181019215cabfd841aae", + "zh:57baa59c7e80fa5612347a7208aa8e2b1fd88563e91b6a68fe154f507d75d210", + "zh:695cf459e16fabfa25348cf00299ff57b100992c2e56e27ebebb91923acdd7f3", + "zh:6a68c3280930f06158b4b6cbbc4b6329a3b28de42bd5ca284e8b4f1a141f5899", + "zh:9b860ac44e673a3901f782730929c99c229437d9020214cd786952f8de94a10d", + "zh:b8704c7d7f76b1bf8ef7fd722e174d1cd5a0c9901c4fdee1145623583f83629a", + "zh:e3f1e222886b4f48ab102f6e898fd69a0a084fb5e0e3b5de4245b842ed96b459", + "zh:f3b9fc88a0ffed753e5c17589177aa3ab524909f568506b04c348f93ca3c4e5c", + "zh:f9c3fb21c9f64e82841811e7ef51e3a102c1af801153a670bffd005d89476f0e", + ] +} diff --git a/terraform/hetzner/prod/firewall.tf b/terraform/hetzner/prod/firewall.tf index 3e08eca..eee87d2 100644 --- a/terraform/hetzner/prod/firewall.tf +++ b/terraform/hetzner/prod/firewall.tf @@ -97,14 +97,6 @@ resource "hcloud_firewall" "app" { description = "Vault API — private only, never public" } - rule { - direction = "in" - protocol = "tcp" - port = "6379" - source_ips = [local.app_subnet_cidr] - description = "Redis" - } - rule { direction = "in" protocol = "tcp"