From c7c9e6895cd6df181707e023434b485967ed375b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sat, 1 Jun 2024 17:56:28 +0200 Subject: [PATCH 1/8] [fix] roles with ufw incocation --- roles/lighttpd/tasks/main.json | 23 +++++++++++++---------- roles/murmur/tasks/main.json | 18 ++++++++++-------- roles/nginx/tasks/main.json | 23 +++++++++++++---------- roles/proftpd/tasks/main.json | 23 +++++++++++++---------- roles/synapse/tasks/main.json | 16 +++++++++------- 5 files changed, 58 insertions(+), 45 deletions(-) diff --git a/roles/lighttpd/tasks/main.json b/roles/lighttpd/tasks/main.json index 8e85d43..d29fcdf 100644 --- a/roles/lighttpd/tasks/main.json +++ b/roles/lighttpd/tasks/main.json @@ -28,30 +28,33 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", "check_mode": true, + "become": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow port 80 in ufw", + "name": "ufw | allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "80", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { - "name": "Allow port 443 in ufw", + "name": "ufw | allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "443", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { "name": "restart service", diff --git a/roles/murmur/tasks/main.json b/roles/murmur/tasks/main.json index b8303b2..1b9ed12 100644 --- a/roles/murmur/tasks/main.json +++ b/roles/murmur/tasks/main.json @@ -26,21 +26,23 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", "check_mode": true, + "become": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow port in ufw", + "name": "ufw | allow port", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", - "port": "{{ var_murmur_port }}", + "port": "{{var_murmur_port | string}}", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { "name": "service", diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 39a68de..2fe467c 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -10,30 +10,33 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", + "become": true, "check_mode": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow port 80 in ufw", + "name": "ufw | allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "80", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { - "name": "Allow port 443 in ufw", + "name": "ufw | allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "443", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { "name": "restart service", diff --git a/roles/proftpd/tasks/main.json b/roles/proftpd/tasks/main.json index 53374a6..e5bf9a0 100644 --- a/roles/proftpd/tasks/main.json +++ b/roles/proftpd/tasks/main.json @@ -10,29 +10,32 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", "check_mode": true, + "become": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow FTP port 20 in ufw", + "name": "ufw | allow port 20", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "20", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { - "name": "Allow FTP port 21 in ufw", + "name": "ufw | allow port 21", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "21", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } } ] diff --git a/roles/synapse/tasks/main.json b/roles/synapse/tasks/main.json index ef5c79c..63e0e78 100644 --- a/roles/synapse/tasks/main.json +++ b/roles/synapse/tasks/main.json @@ -59,21 +59,23 @@ } }, { - "name": "Check wether enabling UFW would be considered a changed", + "name": "ufw | check", + "become": true, "check_mode": true, "community.general.ufw": { - "state": "enabled", - "register": "ufw_enable_check" - } + "state": "enabled" + }, + "register": "ufw_enable_check" }, { - "name": "Allow matrix federation port in ufw", + "name": "ufw | allow port", + "when": "not ufw_enable_check.changed", + "become": true, "community.general.ufw": { "rule": "allow", "port": "8448", "proto": "tcp" - }, - "when": "not ufw_enable_check.changed" + } }, { "name": "restart service", From 8b47912f4688279e1920f5b4ded419662788a985 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 13:47:26 +0200 Subject: [PATCH 2/8] [res] --- roles/nginx/tasks/main.json | 65 ++++++++++++++++++++++++++++++++++++- 1 file changed, 64 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index c8e2b40..62853db 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -5,10 +5,73 @@ "ansible.builtin.apt": { "update_cache": true, "pkg": [ - "nginx" + "nginx", + "openssl" ] } }, + { + "name": "generate dhparams file", + "become": true, + "ansible.builtin.command": { + "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" + }, + "args": { + "creates": "/etc/nginx/dhparam" + } + }, + { + "name": "place hardening config", + "become": true, + "ansible.builtin.copy": { + "src": "ssl-hardening.conf", + "dest": "/etc/nginx/ssl-hardening.conf" + } + }, + { + "name": "ufw | check", + "become": true, + "check_mode": true, + "community.general.ufw": { + "state": "enabled" + }, + "register": "ufw_enable_check" + }, + { + "name": "ufw | allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "80", + "proto": "tcp" + } + }, + { + "name": "ufw | allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "443", + "proto": "tcp" + } + }, + { + "name": "auto reload", + "when": "auto_reload_interval != None", + "become": true, + "ansible.builtin.cron": { + "name": "nginx_auto_reload", + "disabled": true, + "minute": "0", + "hour": "*/{{var_nginx_auto_reload_interval | string}}", + "day": "*", + "month": "*", + "weekday": "*", + "job": "systemctl reload nginx" + } + }, { "name": "restart service", "become": true, From 9a886a2df9776b26d415ddd5f9c35129799e29d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 13:51:31 +0200 Subject: [PATCH 3/8] [fix] role:nginx --- roles/nginx/tasks/main.json | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 62853db..9748e6d 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -59,7 +59,7 @@ }, { "name": "auto reload", - "when": "auto_reload_interval != None", + "when": "var_nginx_auto_reload_interval == None", "become": true, "ansible.builtin.cron": { "name": "nginx_auto_reload", @@ -72,6 +72,21 @@ "job": "systemctl reload nginx" } }, + { + "name": "auto reload", + "when": "var_nginx_auto_reload_interval != None", + "become": true, + "ansible.builtin.cron": { + "name": "nginx_auto_reload", + "disabled": false, + "minute": "0", + "hour": "*/{{var_nginx_auto_reload_interval | string}}", + "day": "*", + "month": "*", + "weekday": "*", + "job": "systemctl reload nginx" + } + }, { "name": "restart service", "become": true, From 888fdda75bd565d598936cee8c364eaee8488b5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 13:55:17 +0200 Subject: [PATCH 4/8] [fix] role:authelia --- roles/authelia/templates/conf-main.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index 0f163af..e942e72 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -56,7 +56,7 @@ {% else %} "disable": true, {% endif %} - "custom_url": "{{password_reset_custom_url}}" + "custom_url": "{{var_authelia_password_reset_custom_url}}" }, "refresh_interval": "5m", "file": { From 8084f3367669559a0f1e25f0ae48aa176c2f379d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 14:46:44 +0200 Subject: [PATCH 5/8] [fix] role:authelia --- roles/authelia/templates/conf-main.json.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/authelia/templates/conf-main.json.j2 b/roles/authelia/templates/conf-main.json.j2 index e942e72..475cda4 100644 --- a/roles/authelia/templates/conf-main.json.j2 +++ b/roles/authelia/templates/conf-main.json.j2 @@ -128,7 +128,7 @@ "cookies": [ { "domain": "{{var_authelia_session_domain}}", - "authelia_url": "{{var_authelia_domain}}", + "authelia_url": "https://{{var_authelia_domain}}/", "default_redirection_url": "{{var_authelia_redirect_url}}" } ] From 958630599dce5fa25e2b5acd83244904701b5f10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 14:50:15 +0200 Subject: [PATCH 6/8] [fix] role:nginx --- roles/nginx/defaults/main.json | 2 +- roles/nginx/tasks/main.json.orig | 86 ++++++++++++++++++++++++++++++++ roles/nginx/vardef.json | 8 +++ 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 roles/nginx/tasks/main.json.orig create mode 100644 roles/nginx/vardef.json diff --git a/roles/nginx/defaults/main.json b/roles/nginx/defaults/main.json index bfd870e..997702e 100644 --- a/roles/nginx/defaults/main.json +++ b/roles/nginx/defaults/main.json @@ -1,3 +1,3 @@ { + "var_nginx_auto_reload_interval": null } - diff --git a/roles/nginx/tasks/main.json.orig b/roles/nginx/tasks/main.json.orig new file mode 100644 index 0000000..3941ce5 --- /dev/null +++ b/roles/nginx/tasks/main.json.orig @@ -0,0 +1,86 @@ +[ + { + "name": "install packages", + "become": true, + "ansible.builtin.apt": { + "update_cache": true, + "pkg": [ + "nginx" + ] + } + }, + { +<<<<<<< HEAD +======= + "name": "generate dhparams file", + "become": true, + "ansible.builtin.command": { + "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" + }, + "args": { + "creates": "/etc/nginx/dhparam" + } + }, + { + "name": "place hardening config", + "become": true, + "ansible.builtin.copy": { + "src": "ssl-hardening.conf", + "dest": "/etc/nginx/ssl-hardening.conf" + } + }, + { + "name": "ufw | check", + "become": true, + "check_mode": true, + "community.general.ufw": { + "state": "enabled" + }, + "register": "ufw_enable_check" + }, + { + "name": "ufw | allow port 80", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "80", + "proto": "tcp" + } + }, + { + "name": "ufw | allow port 443", + "when": "not ufw_enable_check.changed", + "become": true, + "community.general.ufw": { + "rule": "allow", + "port": "443", + "proto": "tcp" + } + }, + { + "name": "auto reload", + "when": "auto_reload_interval != None", + "become": true, + "ansible.builtin.cron": { + "name": "nginx_auto_reload", + "disabled": true, + "minute": "0", + "hour": "*/{{var_nginx_auto_reload_interval | string}}", + "day": "*", + "month": "*", + "weekday": "*", + "job": "systemctl reload nginx" + } + }, + { +>>>>>>> f55f317 ([fix] role:nginx) + "name": "restart service", + "become": true, + "ansible.builtin.systemd_service": { + "state": "restarted", + "name": "nginx" + } + } +] + diff --git a/roles/nginx/vardef.json b/roles/nginx/vardef.json new file mode 100644 index 0000000..c03ddc6 --- /dev/null +++ b/roles/nginx/vardef.json @@ -0,0 +1,8 @@ +{ + "auto_reload_interval": { + "description": "in hours", + "nullable": true, + "type": "integer", + "mandatory": false + } +} From a47662cdaa45a7e629f622a70764d0c525811924 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Thu, 6 Jun 2024 14:51:10 +0200 Subject: [PATCH 7/8] [fix] role:nginx --- roles/nginx/tasks/main.json | 65 +------------------------------------ 1 file changed, 1 insertion(+), 64 deletions(-) diff --git a/roles/nginx/tasks/main.json b/roles/nginx/tasks/main.json index 9748e6d..0ef3b0e 100644 --- a/roles/nginx/tasks/main.json +++ b/roles/nginx/tasks/main.json @@ -5,73 +5,10 @@ "ansible.builtin.apt": { "update_cache": true, "pkg": [ - "nginx", - "openssl" + "nginx" ] } }, - { - "name": "generate dhparams file", - "become": true, - "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" - }, - "args": { - "creates": "/etc/nginx/dhparam" - } - }, - { - "name": "place hardening config", - "become": true, - "ansible.builtin.copy": { - "src": "ssl-hardening.conf", - "dest": "/etc/nginx/ssl-hardening.conf" - } - }, - { - "name": "ufw | check", - "become": true, - "check_mode": true, - "community.general.ufw": { - "state": "enabled" - }, - "register": "ufw_enable_check" - }, - { - "name": "ufw | allow port 80", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "80", - "proto": "tcp" - } - }, - { - "name": "ufw | allow port 443", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "443", - "proto": "tcp" - } - }, - { - "name": "auto reload", - "when": "var_nginx_auto_reload_interval == None", - "become": true, - "ansible.builtin.cron": { - "name": "nginx_auto_reload", - "disabled": true, - "minute": "0", - "hour": "*/{{var_nginx_auto_reload_interval | string}}", - "day": "*", - "month": "*", - "weekday": "*", - "job": "systemctl reload nginx" - } - }, { "name": "auto reload", "when": "var_nginx_auto_reload_interval != None", From 46e239133dd859b5ccbf33fc250b5f3cee323d3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Fra=C3=9F?= Date: Sun, 9 Jun 2024 11:02:04 +0200 Subject: [PATCH 8/8] [res] --- roles/nginx/tasks/main.json.orig | 86 -------------------------------- 1 file changed, 86 deletions(-) delete mode 100644 roles/nginx/tasks/main.json.orig diff --git a/roles/nginx/tasks/main.json.orig b/roles/nginx/tasks/main.json.orig deleted file mode 100644 index 3941ce5..0000000 --- a/roles/nginx/tasks/main.json.orig +++ /dev/null @@ -1,86 +0,0 @@ -[ - { - "name": "install packages", - "become": true, - "ansible.builtin.apt": { - "update_cache": true, - "pkg": [ - "nginx" - ] - } - }, - { -<<<<<<< HEAD -======= - "name": "generate dhparams file", - "become": true, - "ansible.builtin.command": { - "cmd": "openssl dhparam -out /etc/nginx/dhparam 4096" - }, - "args": { - "creates": "/etc/nginx/dhparam" - } - }, - { - "name": "place hardening config", - "become": true, - "ansible.builtin.copy": { - "src": "ssl-hardening.conf", - "dest": "/etc/nginx/ssl-hardening.conf" - } - }, - { - "name": "ufw | check", - "become": true, - "check_mode": true, - "community.general.ufw": { - "state": "enabled" - }, - "register": "ufw_enable_check" - }, - { - "name": "ufw | allow port 80", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "80", - "proto": "tcp" - } - }, - { - "name": "ufw | allow port 443", - "when": "not ufw_enable_check.changed", - "become": true, - "community.general.ufw": { - "rule": "allow", - "port": "443", - "proto": "tcp" - } - }, - { - "name": "auto reload", - "when": "auto_reload_interval != None", - "become": true, - "ansible.builtin.cron": { - "name": "nginx_auto_reload", - "disabled": true, - "minute": "0", - "hour": "*/{{var_nginx_auto_reload_interval | string}}", - "day": "*", - "month": "*", - "weekday": "*", - "job": "systemctl reload nginx" - } - }, - { ->>>>>>> f55f317 ([fix] role:nginx) - "name": "restart service", - "become": true, - "ansible.builtin.systemd_service": { - "state": "restarted", - "name": "nginx" - } - } -] -