jesus/provisioning
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: add current provisioning state before migration

Browse source
This commit is contained in:
Jesús Pérez 2025-09-22 23:11:41 +01:00
parent a9703b4748
commit 50745b0f22
660 changed files with 88126 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

75
.provisioning/extensions/profiles/cicd.yaml Normal file
View file

@ -0,0 +1,75 @@
profile: cicd
description: CI/CD pipeline access profile with restricted permissions
version: 1.0.0
restricted: true
# Allowed operations for CI/CD
allowed:
commands:
- "server list"
- "server status"
- "taskserv list"
- "taskserv status"
- "taskserv create"
- "taskserv install"
- "cluster status"
- "generate"
- "show"
- "context"
providers:
- "local"
- "digitalocean"
taskservs:
- "kubernetes"
- "monitoring"
- "gitea"
- "postgres"
profiles:
- "staging"
- "development"
# Blocked operations for security
blocked:
commands:
- "server create"
- "server delete"
- "taskserv delete"
- "cluster create"
- "cluster delete"
- "sops"
- "secrets"
providers:
- "aws"
taskservs:
- "postgres-admin"
profiles:
- "production"
# Environment restrictions
environment:
max_servers: 5
allowed_regions:
- "nyc1"
- "ams3"
allowed_sizes:
- "s-1vcpu-1gb"
- "s-1vcpu-2gb"
- "s-2vcpu-2gb"
# Audit settings
audit:
log_commands: true
require_justification: true
notify_webhook: "${CI_AUDIT_WEBHOOK_URL}"
# Time-based restrictions
schedule:
allowed_hours: "06:00-22:00"
allowed_days: ["mon", "tue", "wed", "thu", "fri"]
timezone: "UTC"

74
.provisioning/extensions/profiles/developer.yaml Normal file
View file

@ -0,0 +1,74 @@
profile: developer
description: Developer access profile with moderate restrictions
version: 1.0.0
restricted: true
# Developer permissions
allowed:
commands:
- "server list"
- "server create"
- "server delete"
- "server status"
- "server ssh"
- "taskserv list"
- "taskserv create"
- "taskserv delete"
- "taskserv status"
- "cluster status"
- "generate"
- "show"
- "context"
providers:
- "local"
- "digitalocean"
taskservs:
- "kubernetes"
- "monitoring"
- "gitea"
- "postgres"
profiles:
- "development"
- "staging"
# Restricted operations
blocked:
commands:
- "sops edit production/*"
- "cluster delete production"
providers: []
taskservs: []
profiles:
- "production"
# Resource limits for developers
environment:
max_servers: 10
allowed_regions:
- "nyc1"
- "nyc3"
- "ams3"
- "fra1"
allowed_sizes:
- "s-1vcpu-1gb"
- "s-1vcpu-2gb"
- "s-2vcpu-2gb"
- "s-2vcpu-4gb"
# Audit settings
audit:
log_commands: true
require_justification: false
notify_webhook: "${DEV_AUDIT_WEBHOOK_URL}"
# Flexible schedule for developers
schedule:
allowed_hours: "00:00-23:59"
allowed_days: ["mon", "tue", "wed", "thu", "fri", "sat", "sun"]
timezone: "UTC"

65
.provisioning/extensions/profiles/readonly.yaml Normal file
View file

@ -0,0 +1,65 @@
profile: readonly
description: Read-only access profile for monitoring and auditing
version: 1.0.0
restricted: true
# Read-only permissions
allowed:
commands:
- "server list"
- "server status"
- "taskserv list"
- "taskserv status"
- "cluster status"
- "show"
- "context"
providers:
- "local"
- "aws"
- "upcloud"
- "digitalocean"
taskservs: []
profiles:
- "production"
- "staging"
- "development"
# All modification operations blocked
blocked:
commands:
- "server create"
- "server delete"
- "server ssh"
- "taskserv create"
- "taskserv delete"
- "taskserv install"
- "cluster create"
- "cluster delete"
- "generate"
- "sops"
- "secrets"
providers: []
taskservs: []
profiles: []
# No resource limits needed for read-only
environment:
max_servers: 0
allowed_regions: []
allowed_sizes: []
# Audit settings
audit:
log_commands: true
require_justification: false
notify_webhook: "${READONLY_AUDIT_WEBHOOK_URL}"
# 24/7 access for monitoring
schedule:
allowed_hours: "00:00-23:59"
allowed_days: ["mon", "tue", "wed", "thu", "fri", "sat", "sun"]
timezone: "UTC"