diff --git a/.bowerrc b/.bowerrc deleted file mode 100644 index c0d75e9..0000000 --- a/.bowerrc +++ /dev/null @@ -1,3 +0,0 @@ -{ - "directory": "publichealth/static/libs" -} diff --git a/.buildpacks b/.buildpacks deleted file mode 100644 index d1a2600..0000000 --- a/.buildpacks +++ /dev/null @@ -1,3 +0,0 @@ -https://github.com/heroku/heroku-buildpack-nodejs -https://github.com/ejholmes/heroku-buildpack-bower -https://github.com/heroku/heroku-buildpack-python diff --git a/Pipfile b/Pipfile index 1ba691c..fb221cd 100644 --- a/Pipfile +++ b/Pipfile @@ -30,6 +30,6 @@ Pillow = ">=4.0.0" puput = ">=1.0.0" python-dotenv = "*" stellar = "*" -wagtail = ">=2.0" +wagtail = ">=2.0,<2.13" whitenoise = "*" django-toolbelt = "*" diff --git a/Pipfile.lock b/Pipfile.lock index 9a5516e..de25351 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "b30c946ad74676a15cd9f3aaa0bf918a2f094e4b9b578ea447e456133a02e48d" + "sha256": "b0a0795e4fff2ce14be7e648fd64bba2387563382c0ce34781d6b64ee95db087" }, "pipfile-spec": 6, "requires": {}, @@ -14,6 +14,14 @@ ] }, "default": { + "anyascii": { + "hashes": [ + "sha256:18a77d22da66f2b5e6951f7f365b543656f16c5d7c68f7c70055f030767df403", + "sha256:7036c5fdefa40fe9d73a6552ac4f2821916a2a29c1368925f0b7846e536bd2ac" + ], + "markers": "python_version >= '3.3'", + "version": "==0.2.0" + }, "beautifulsoup4": { "hashes": [ "sha256:05fd825eb01c290877657a56df4c6e4c311b3965bda790c613a3d6fb01a5462a", @@ -24,28 +32,33 @@ }, "certifi": { "hashes": [ - "sha256:1d987a998c75633c40847cc966fcf5904906c920a7f17ef374f5aa4282abd304", - "sha256:51fcb31174be6e6664c5f69e3e1691a2d72a1a12e90f872cbdb1567eb47b6519" + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" ], - "version": "==2020.4.5.1" + "version": "==2021.5.30" }, "chardet": { "hashes": [ - "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", - "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", + "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "version": "==3.0.4" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==4.0.0" }, "click": { "hashes": [ - "sha256:d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a", - "sha256:dacca89f4bfadd5de3d7489b7c8a566eee0d3676333fbb50030263894c38c0dc" + "sha256:8c04c11192119b1ef78ea049e0a6f0463e4c48ef00a30160c704337586f3ad7a", + "sha256:fba402a4a47334742d782209a7c79bc448911afe1149d07bdabdf480b3e2f4b6" ], - "version": "==7.1.2" + "markers": "python_version >= '3.6'", + "version": "==8.0.1" }, "concurrentloghandler": { "hashes": [ - "sha256:8225a590fd4194c413fa26675bde5f6b80ad79e4182d5876ba3e264f77755918" + "sha256:4ccae08b7f9b3257de35f847e2de8629c00c2075f8ce66db8ed06d7657e2eeae", + "sha256:5d199eecc23751ab1f705826660f733c1090f62789f3e3c44296e706fc75b547", + "sha256:8225a590fd4194c413fa26675bde5f6b80ad79e4182d5876ba3e264f77755918", + "sha256:aa608aa0ce32d86d2061dec91cd58a2a367f97110851529d2aa6ebf96d9dcd4d" ], "index": "pypi", "version": "==0.9.1" @@ -55,6 +68,7 @@ "sha256:01f490098c18b19d2bd5bb5dc445b2054d2fa97f09a4280ba2c5f3c394c8162e", "sha256:3355078a159fbb44ee60ea80abd0d87b80b78c248643b49aa6d94673b413609b" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.6.0.post1" }, "dj-database-url": { @@ -73,19 +87,19 @@ }, "django": { "hashes": [ - "sha256:69897097095f336d5aeef45b4103dceae51c00afa6d3ae198a2a18e519791b7a", - "sha256:6ecd229e1815d4fc5240fc98f1cca78c41e7a8cd3e3f2eefadc4735031077916" + "sha256:3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7", + "sha256:f2084ceecff86b1e631c2cd4107d435daf4e12f1efcdf11061a73bf0b5e95f92" ], "index": "pypi", - "version": "==2.2.12" + "version": "==2.2.24" }, "django-anymail": { "hashes": [ - "sha256:7af1076f383fb3b62b301949ea8f7d87a41376015309ffc35a246a1726060429", - "sha256:a2bd7a40aa91a1033892630652d3ca8148de70fa2927eb4eebde239fe705f0f4" + "sha256:2e8307e84f0a12f9283469017094a8246db9a0fc608ac17dd1027ee011ece986", + "sha256:671a338de43b8e414d48c6d16aac1df54d2f24f916e1073f9f60aef5acffaf89" ], "index": "pypi", - "version": "==7.1.0" + "version": "==8.4" }, "django-appconf": { "hashes": [ @@ -104,26 +118,26 @@ }, "django-compressor": { "hashes": [ - "sha256:57ac0a696d061e5fc6fbc55381d2050f353b973fb97eee5593f39247bc0f30af", - "sha256:d2ed1c6137ddaac5536233ec0a819e14009553fee0a869bea65d03e5285ba74f" + "sha256:3358077605c146fdcca5f9eaffb50aa5dbe15f238f8854679115ebf31c0415e0", + "sha256:f8313f59d5e65712fc28787d084fe834997c9dfa92d064a1a3ec3d3366594d04" ], - "version": "==2.4" + "version": "==2.4.1" }, "django-contrib-comments": { "hashes": [ - "sha256:b83320a86081a76bc0570e6cc0f924c0ced40b46ae9f5dd783ab2c745b449529", - "sha256:d1232bade3094de07dcc205fc833204384e71ba9d30caadcb5bb2882ce8e8d31" + "sha256:d82f1d04690550df026553053903deec0c52dc54212e1b79241b08f0355cff2c", + "sha256:e02c7341ea1f4bcdfa347851dbf5e632d3e591d84b4f77de2f90b93398897f3c" ], "index": "pypi", - "version": "==1.9.2" + "version": "==2.1.0" }, "django-crispy-forms": { "hashes": [ - "sha256:ad943285508f0ed0e271d00399b9399c22b8795a4f969029bce0fd29522a8e2d", - "sha256:fbe9c2c9698b6590afe37940cb08194d1e722015f6bc5bee83f679362406ea30" + "sha256:a3320356c84d0cdc631e1ec7b8908aa0117bc2a5f0ab1d053d33eba08f584808", + "sha256:d196db62ee8b4fc32d1f9583d0e4be1bb17328b662682c1ecb9fb77bbc0fcf77" ], "index": "pypi", - "version": "==1.9.1" + "version": "==1.12.0" }, "django-el-pagination": { "hashes": [ @@ -132,6 +146,14 @@ "index": "pypi", "version": "==3.3.0" }, + "django-filter": { + "hashes": [ + "sha256:84e9d5bb93f237e451db814ed422a3a625751cbc9968b484ecc74964a8696b06", + "sha256:e00d32cebdb3d54273c48f4f878f898dced8d5dfaad009438fe61ebdf535ace1" + ], + "markers": "python_version >= '3.5'", + "version": "==2.4.0" + }, "django-libsass": { "hashes": [ "sha256:38fab4ce1245542f3afd7248dc48f8a0b261f5f6c61e7cc43969a9c9079b5ffd", @@ -142,33 +164,35 @@ }, "django-modelcluster": { "hashes": [ - "sha256:942ec7ea970c9ef9ded76a1c79cfe69432a7f1c106b505c501d40f100bcbc91a", - "sha256:c7a42cf9b93d1161a10bf59919f7ee52d996a523a4134b2a136f6fe1eba7a2fa" + "sha256:783d177f7bf5c8f30fe365c347b9a032920de371fe1c63d955d7b283684d4c08", + "sha256:d4a0f90e85ae1a193f417e149b6b01d0b2a867dcf97f7fae1d34a4363a9d7baa" ], - "version": "==5.0.2" + "markers": "python_version >= '3.5'", + "version": "==5.1" }, "django-redis": { "hashes": [ - "sha256:a5b1e3ffd3198735e6c529d9bdf38ca3fcb3155515249b98dc4d966b8ddf9d2b", - "sha256:e1aad4cc5bd743d8d0b13d5cae0cef5410eaace33e83bff5fc3a139ad8db50b4" + "sha256:048f665bbe27f8ff2edebae6aa9c534ab137f1e8fa7234147ef470df3f3aa9b8", + "sha256:97739ca9de3f964c51412d1d7d8aecdfd86737bb197fce6e1ff12620c63c97ee" ], "index": "pypi", - "version": "==4.11.0" + "version": "==5.0.0" }, "django-social-share": { "hashes": [ - "sha256:605f96810a4f736df8113c8da6f65307e4f53bec5c7af28ba08095e49778c3de", - "sha256:74a472a61b33992f03db339a76978cdc379a41d86437451ab64e686f3a6ddb63" + "sha256:4062c31ddad15eb9f7796cdfaae5a813018a3fd8da2b77f3e063e3a31252f84a", + "sha256:6de83acdd2a566c70af29b229a6430ccf8031d3d0ae1612419f633cbd9f649f5" ], "index": "pypi", - "version": "==1.4.0" + "version": "==2.2.1" }, "django-taggit": { "hashes": [ - "sha256:4a833bf71f4c2deddd9745924eee53be1c075d7f0020a06f12e29fa3d752732d", - "sha256:609b0223d8a652f3fae088b7fd29f294fdadaca2d7931d45c27d6c59b02fdf31" + "sha256:9f947b7fe330875ac7f05f9616f42ef90df9253b639ca102a9449dd34cec0cab", + "sha256:b9ed6e94bad0bed3bf062a6be7ee3db117fda02c6419c680d614197364ea018b" ], - "version": "==1.3.0" + "markers": "python_version >= '3.6'", + "version": "==1.4.0" }, "django-toolbelt": { "hashes": [ @@ -179,20 +203,24 @@ }, "django-treebeard": { "hashes": [ - "sha256:83aebc34a9f06de7daaec330d858d1c47887e81be3da77e3541fe7368196dd8a" + "sha256:7c2b1cdb1e9b46d595825186064a1228bc4d00dbbc186db5b0b9412357fba91c", + "sha256:80150017725239702054e5fa64dc66e383dc13ac262c8d47ee5a82cb005969da" ], - "version": "==4.3.1" + "markers": "python_version >= '3.6'", + "version": "==4.5.1" }, "djangorestframework": { "hashes": [ - "sha256:05809fc66e1c997fd9a32ea5730d9f4ba28b109b9da71fccfa5ff241201fd0a4", - "sha256:e782087823c47a26826ee5b6fa0c542968219263fb3976ec3c31edab23a4001f" + "sha256:6d1d59f623a5ad0509fe0d6bfe93cbdfe17b8116ebc8eda86d45f6e16e819aaf", + "sha256:f747949a8ddac876e879190df194b925c177cdeb725a099db1460872f7c0a7f2" ], - "version": "==3.11.0" + "markers": "python_version >= '3.5'", + "version": "==3.12.4" }, "draftjs-exporter": { "hashes": [ - "sha256:5839cbc29d7bce2fb99837a404ca40c3a07313f2a20e2700de7ad6aa9a9a18fb" + "sha256:5839cbc29d7bce2fb99837a404ca40c3a07313f2a20e2700de7ad6aa9a9a18fb", + "sha256:d415a9964690a2cddb66a31ef32dd46c277e9b80434b94e39e3043188ed83e33" ], "version": "==2.1.7" }, @@ -204,6 +232,69 @@ "index": "pypi", "version": "==5.5.3" }, + "et-xmlfile": { + "hashes": [ + "sha256:8eb9e2bc2f8c97e37a2dc85a09ecdcdec9d8a396530a6d5a33b30b9a92da0c5c", + "sha256:a2ba85d1d6a74ef63837eed693bcb89c3f752169b0e3e7ae5b16ca5e1b3deada" + ], + "markers": "python_version >= '3.6'", + "version": "==1.1.0" + }, + "greenlet": { + "hashes": [ + "sha256:03f28a5ea20201e70ab70518d151116ce939b412961c33827519ce620957d44c", + "sha256:06d7ac89e6094a0a8f8dc46aa61898e9e1aec79b0f8b47b2400dd51a44dbc832", + "sha256:06ecb43b04480e6bafc45cb1b4b67c785e183ce12c079473359e04a709333b08", + "sha256:096cb0217d1505826ba3d723e8981096f2622cde1eb91af9ed89a17c10aa1f3e", + "sha256:0c557c809eeee215b87e8a7cbfb2d783fb5598a78342c29ade561440abae7d22", + "sha256:0de64d419b1cb1bfd4ea544bedea4b535ef3ae1e150b0f2609da14bbf48a4a5f", + "sha256:14927b15c953f8f2d2a8dffa224aa78d7759ef95284d4c39e1745cf36e8cdd2c", + "sha256:16183fa53bc1a037c38d75fdc59d6208181fa28024a12a7f64bb0884434c91ea", + "sha256:206295d270f702bc27dbdbd7651e8ebe42d319139e0d90217b2074309a200da8", + "sha256:22002259e5b7828b05600a762579fa2f8b33373ad95a0ee57b4d6109d0e589ad", + "sha256:2325123ff3a8ecc10ca76f062445efef13b6cf5a23389e2df3c02a4a527b89bc", + "sha256:258f9612aba0d06785143ee1cbf2d7361801c95489c0bd10c69d163ec5254a16", + "sha256:3096286a6072553b5dbd5efbefc22297e9d06a05ac14ba017233fedaed7584a8", + "sha256:3d13da093d44dee7535b91049e44dd2b5540c2a0e15df168404d3dd2626e0ec5", + "sha256:408071b64e52192869129a205e5b463abda36eff0cebb19d6e63369440e4dc99", + "sha256:598bcfd841e0b1d88e32e6a5ea48348a2c726461b05ff057c1b8692be9443c6e", + "sha256:5d928e2e3c3906e0a29b43dc26d9b3d6e36921eee276786c4e7ad9ff5665c78a", + "sha256:5f75e7f237428755d00e7460239a2482fa7e3970db56c8935bd60da3f0733e56", + "sha256:60848099b76467ef09b62b0f4512e7e6f0a2c977357a036de602b653667f5f4c", + "sha256:6b1d08f2e7f2048d77343279c4d4faa7aef168b3e36039cba1917fffb781a8ed", + "sha256:70bd1bb271e9429e2793902dfd194b653221904a07cbf207c3139e2672d17959", + "sha256:76ed710b4e953fc31c663b079d317c18f40235ba2e3d55f70ff80794f7b57922", + "sha256:7920e3eccd26b7f4c661b746002f5ec5f0928076bd738d38d894bb359ce51927", + "sha256:7db68f15486d412b8e2cfcd584bf3b3a000911d25779d081cbbae76d71bd1a7e", + "sha256:8833e27949ea32d27f7e96930fa29404dd4f2feb13cce483daf52e8842ec246a", + "sha256:944fbdd540712d5377a8795c840a97ff71e7f3221d3fddc98769a15a87b36131", + "sha256:9a6b035aa2c5fcf3dbbf0e3a8a5bc75286fc2d4e6f9cfa738788b433ec894919", + "sha256:9bdcff4b9051fb1aa4bba4fceff6a5f770c6be436408efd99b76fc827f2a9319", + "sha256:a9017ff5fc2522e45562882ff481128631bf35da444775bc2776ac5c61d8bcae", + "sha256:aa4230234d02e6f32f189fd40b59d5a968fe77e80f59c9c933384fe8ba535535", + "sha256:ad80bb338cf9f8129c049837a42a43451fc7c8b57ad56f8e6d32e7697b115505", + "sha256:adb94a28225005890d4cf73648b5131e885c7b4b17bc762779f061844aabcc11", + "sha256:b3090631fecdf7e983d183d0fad7ea72cfb12fa9212461a9b708ff7907ffff47", + "sha256:b33b51ab057f8a20b497ffafdb1e79256db0c03ef4f5e3d52e7497200e11f821", + "sha256:b97c9a144bbeec7039cca44df117efcbeed7209543f5695201cacf05ba3b5857", + "sha256:be13a18cec649ebaab835dff269e914679ef329204704869f2f167b2c163a9da", + "sha256:be9768e56f92d1d7cd94185bab5856f3c5589a50d221c166cc2ad5eb134bd1dc", + "sha256:c1580087ab493c6b43e66f2bdd165d9e3c1e86ef83f6c2c44a29f2869d2c5bd5", + "sha256:c35872b2916ab5a240d52a94314c963476c989814ba9b519bc842e5b61b464bb", + "sha256:c70c7dd733a4c56838d1f1781e769081a25fade879510c5b5f0df76956abfa05", + "sha256:c767458511a59f6f597bfb0032a1c82a52c29ae228c2c0a6865cfeaeaac4c5f5", + "sha256:c87df8ae3f01ffb4483c796fe1b15232ce2b219f0b18126948616224d3f658ee", + "sha256:ca1c4a569232c063615f9e70ff9a1e2fee8c66a6fb5caf0f5e8b21a396deec3e", + "sha256:cc407b68e0a874e7ece60f6639df46309376882152345508be94da608cc0b831", + "sha256:da862b8f7de577bc421323714f63276acb2f759ab8c5e33335509f0b89e06b8f", + "sha256:dfe7eac0d253915116ed0cd160a15a88981a1d194c1ef151e862a5c7d2f853d3", + "sha256:ed1377feed808c9c1139bdb6a61bcbf030c236dd288d6fca71ac26906ab03ba6", + "sha256:f42ad188466d946f1b3afc0a9e1a266ac8926461ee0786c06baac6bd71f8a6f3", + "sha256:f92731609d6625e1cc26ff5757db4d32b6b810d2a3363b0ff94ff573e5901f6f" + ], + "markers": "python_version >= '3.0'", + "version": "==1.1.0" + }, "guess-language-spirit": { "hashes": [ "sha256:a9b20470246bbfd1b69b055ff6459e05aa8cb5f1f1d8481350819cd7680792cc" @@ -213,193 +304,245 @@ }, "gunicorn": { "hashes": [ - "sha256:1904bb2b8a43658807108d59c3f3d56c2b6121a701161de0ddf9ad140073c626", - "sha256:cd4a810dd51bf497552cf3f863b575dabd73d6ad6a91075b65936b151cbf4f9c" + "sha256:9dcc4547dbb1cb284accfb15ab5667a0e5d1881cc443e0677b4882a4067a807e", + "sha256:e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8" ], "index": "pypi", - "version": "==20.0.4" + "version": "==20.1.0" }, "html5lib": { "hashes": [ - "sha256:20b159aa3badc9d5ee8f5c647e5efd02ed2a66ab8d354930bd9ff139fc1dc0a3", - "sha256:66cb0dcfdbbc4f9c3ba1a63fdb511ffdbd4f513b2b6d81b80cd26ce6b3fb3736" + "sha256:0d78f8fde1c230e99fe37986a60526d7049ed4bf8a9fadbad5f00e22e58e041d", + "sha256:b2e5b40261e20f354d198eae92afc10d750afb487ed5e50f9c4eaf07c184146f" ], - "version": "==1.0.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.1" }, "humanize": { "hashes": [ - "sha256:07dd1293bac6c77daa5ccdc22c0b41b2315bee0e339a9f035ba86a9f1a272002", - "sha256:42ae7d54b398c01bd100847f6cb0fc9e381c21be8ad3f8e2929135e48dbff026" + "sha256:2cc4f7d2f5994ea9fcddd4b681ddea9abd23baa8cc64bd0af041a0162636f31c", + "sha256:892a5b7b87763c4c6997a58382c2b1f4614048a2e01c23ef1bb0456e6f9d4d5d" ], - "version": "==2.4.0" + "markers": "python_version >= '3.6'", + "version": "==3.9.0" }, "idna": { "hashes": [ - "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb", - "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa" + "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", + "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], - "version": "==2.9" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==2.10" }, "l18n": { "hashes": [ - "sha256:46e72c980d06a7511726f1da10a32fa524f7e2937c0af5ad52d39577024a4382" + "sha256:ea7a65b2f0935b14601a3295f2c5e5e8b54126dd1e6a7fef4e44d2b8dd5b695a" ], - "version": "==2018.5" + "version": "==2020.6.1" }, "libsass": { "hashes": [ - "sha256:107c409524c6a4ed14410fa9dafa9ee59c6bd3ecae75d73af749ab2b75685726", - "sha256:3bc0d68778b30b5fa83199e18795314f64b26ca5871e026343e63934f616f7f7", - "sha256:5c8ff562b233734fbc72b23bb862cc6a6f70b1e9bf85a58422aa75108b94783b", - "sha256:74f6fb8da58179b5d86586bc045c16d93d55074bc7bb48b6354a4da7ac9f9dfd", - "sha256:7555d9b24e79943cfafac44dbb4ca7e62105c038de7c6b999838c9ff7b88645d", - "sha256:794f4f4661667263e7feafe5cc866e3746c7c8a9192b2aa9afffdadcbc91c687", - "sha256:8cf72552b39e78a1852132e16b706406bc76029fe3001583284ece8d8752a60a", - "sha256:98f6dee9850b29e62977a963e3beb3cfeb98b128a267d59d2c3d675e298c8d57", - "sha256:a43f3830d83ad9a7f5013c05ce239ca71744d0780dad906587302ac5257bce60", - "sha256:b077261a04ba1c213e932943208471972c5230222acb7fa97373e55a40872cbb", - "sha256:b7452f1df274b166dc22ee2e9154c4adca619bcbbdf8041a7aa05f372a1dacbc", - "sha256:e6a547c0aa731dcb4ed71f198e814bee0400ce04d553f3f12a53bc3a17f2a481", - "sha256:fd19c8f73f70ffc6cbcca8139da08ea9a71fc48e7dfc4bb236ad88ab2d6558f1" + "sha256:06c8776417fe930714bdc930a3d7e795ae3d72be6ac883ff72a1b8f7c49e5ffb", + "sha256:12f39712de38689a8b785b7db41d3ba2ea1d46f9379d81ea4595802d91fa6529", + "sha256:1e25dd9047a9392d3c59a0b869e0404f2b325a03871ee45285ee33b3664f5613", + "sha256:659ae41af8708681fa3ec73f47b9735a6725e71c3b66ff570bfce78952f2314e", + "sha256:6b984510ed94993708c0d697b4fef2d118929bbfffc3b90037be0f5ccadf55e7", + "sha256:a005f298f64624f313a3ac618ab03f844c71d84ae4f4a4aec4b68d2a4ffe75eb", + "sha256:abc29357ee540849faf1383e1746d40d69ed5cb6d4c346df276b258f5aa8977a", + "sha256:d5ba529d9ce668be9380563279f3ffe988f27bc5b299c5a28453df2e0b0fbaf2", + "sha256:e2b1a7d093f2e76dc694c17c0c285e846d0b0deb0e8b21dc852ba1a3a4e2f1d6" ], "index": "pypi", - "version": "==0.20.0" + "version": "==0.21.0" + }, + "openpyxl": { + "hashes": [ + "sha256:46af4eaf201a89b610fcca177eed957635f88770a5462fb6aae4a2a52b0ff516", + "sha256:6456a3b472e1ef0facb1129f3c6ef00713cebf62e736cd7a75bcc3247432f251" + ], + "version": "==3.0.7" }, "pillow": { "hashes": [ - "sha256:04766c4930c174b46fd72d450674612ab44cca977ebbcc2dde722c6933290107", - "sha256:0e2a3bceb0fd4e0cb17192ae506d5f082b309ffe5fc370a5667959c9b2f85fa3", - "sha256:0f01e63c34f0e1e2580cc0b24e86a5ccbbfa8830909a52ee17624c4193224cd9", - "sha256:12e4bad6bddd8546a2f9771485c7e3d2b546b458ae8ff79621214119ac244523", - "sha256:1f694e28c169655c50bb89a3fa07f3b854d71eb47f50783621de813979ba87f3", - "sha256:3d25dd8d688f7318dca6d8cd4f962a360ee40346c15893ae3b95c061cdbc4079", - "sha256:4b02b9c27fad2054932e89f39703646d0c543f21d3cc5b8e05434215121c28cd", - "sha256:9744350687459234867cbebfe9df8f35ef9e1538f3e729adbd8fde0761adb705", - "sha256:a0b49960110bc6ff5fead46013bcb8825d101026d466f3a4de3476defe0fb0dd", - "sha256:ae2b270f9a0b8822b98655cb3a59cdb1bd54a34807c6c56b76dd2e786c3b7db3", - "sha256:b37bb3bd35edf53125b0ff257822afa6962649995cbdfde2791ddb62b239f891", - "sha256:b532bcc2f008e96fd9241177ec580829dee817b090532f43e54074ecffdcd97f", - "sha256:b67a6c47ed963c709ed24566daa3f95a18f07d3831334da570c71da53d97d088", - "sha256:b943e71c2065ade6fef223358e56c167fc6ce31c50bc7a02dd5c17ee4338e8ac", - "sha256:ccc9ad2460eb5bee5642eaf75a0438d7f8887d484490d5117b98edd7f33118b7", - "sha256:d23e2aa9b969cf9c26edfb4b56307792b8b374202810bd949effd1c6e11ebd6d", - "sha256:eaa83729eab9c60884f362ada982d3a06beaa6cc8b084cf9f76cae7739481dfa", - "sha256:ee94fce8d003ac9fd206496f2707efe9eadcb278d94c271f129ab36aa7181344", - "sha256:f455efb7a98557412dc6f8e463c1faf1f1911ec2432059fa3e582b6000fc90e2", - "sha256:f46e0e024346e1474083c729d50de909974237c72daca05393ee32389dabe457", - "sha256:f54be399340aa602066adb63a86a6a5d4f395adfdd9da2b9a0162ea808c7b276", - "sha256:f784aad988f12c80aacfa5b381ec21fd3f38f851720f652b9f33facc5101cf4d" + "sha256:01425106e4e8cee195a411f729cff2a7d61813b0b11737c12bd5991f5f14bcd5", + "sha256:031a6c88c77d08aab84fecc05c3cde8414cd6f8406f4d2b16fed1e97634cc8a4", + "sha256:083781abd261bdabf090ad07bb69f8f5599943ddb539d64497ed021b2a67e5a9", + "sha256:0d19d70ee7c2ba97631bae1e7d4725cdb2ecf238178096e8c82ee481e189168a", + "sha256:0e04d61f0064b545b989126197930807c86bcbd4534d39168f4aa5fda39bb8f9", + "sha256:12e5e7471f9b637762453da74e390e56cc43e486a88289995c1f4c1dc0bfe727", + "sha256:22fd0f42ad15dfdde6c581347eaa4adb9a6fc4b865f90b23378aa7914895e120", + "sha256:238c197fc275b475e87c1453b05b467d2d02c2915fdfdd4af126145ff2e4610c", + "sha256:3b570f84a6161cf8865c4e08adf629441f56e32f180f7aa4ccbd2e0a5a02cba2", + "sha256:463822e2f0d81459e113372a168f2ff59723e78528f91f0bd25680ac185cf797", + "sha256:4d98abdd6b1e3bf1a1cbb14c3895226816e666749ac040c4e2554231068c639b", + "sha256:5afe6b237a0b81bd54b53f835a153770802f164c5570bab5e005aad693dab87f", + "sha256:5b70110acb39f3aff6b74cf09bb4169b167e2660dabc304c1e25b6555fa781ef", + "sha256:5cbf3e3b1014dddc45496e8cf38b9f099c95a326275885199f427825c6522232", + "sha256:624b977355cde8b065f6d51b98497d6cd5fbdd4f36405f7a8790e3376125e2bb", + "sha256:63728564c1410d99e6d1ae8e3b810fe012bc440952168af0a2877e8ff5ab96b9", + "sha256:66cc56579fd91f517290ab02c51e3a80f581aba45fd924fcdee01fa06e635812", + "sha256:6c32cc3145928c4305d142ebec682419a6c0a8ce9e33db900027ddca1ec39178", + "sha256:8b56553c0345ad6dcb2e9b433ae47d67f95fc23fe28a0bde15a120f25257e291", + "sha256:8bb1e155a74e1bfbacd84555ea62fa21c58e0b4e7e6b20e4447b8d07990ac78b", + "sha256:95d5ef984eff897850f3a83883363da64aae1000e79cb3c321915468e8c6add5", + "sha256:a013cbe25d20c2e0c4e85a9daf438f85121a4d0344ddc76e33fd7e3965d9af4b", + "sha256:a787ab10d7bb5494e5f76536ac460741788f1fbce851068d73a87ca7c35fc3e1", + "sha256:a7d5e9fad90eff8f6f6106d3b98b553a88b6f976e51fce287192a5d2d5363713", + "sha256:aac00e4bc94d1b7813fe882c28990c1bc2f9d0e1aa765a5f2b516e8a6a16a9e4", + "sha256:b91c36492a4bbb1ee855b7d16fe51379e5f96b85692dc8210831fbb24c43e484", + "sha256:c03c07ed32c5324939b19e36ae5f75c660c81461e312a41aea30acdd46f93a7c", + "sha256:c5236606e8570542ed424849f7852a0ff0bce2c4c8d0ba05cc202a5a9c97dee9", + "sha256:c6b39294464b03457f9064e98c124e09008b35a62e3189d3513e5148611c9388", + "sha256:cb7a09e173903541fa888ba010c345893cd9fc1b5891aaf060f6ca77b6a3722d", + "sha256:d68cb92c408261f806b15923834203f024110a2e2872ecb0bd2a110f89d3c602", + "sha256:dc38f57d8f20f06dd7c3161c59ca2c86893632623f33a42d592f097b00f720a9", + "sha256:e98eca29a05913e82177b3ba3d198b1728e164869c613d76d0de4bde6768a50e", + "sha256:f217c3954ce5fd88303fc0c317af55d5e0204106d86dea17eb8205700d47dec2" ], "index": "pypi", - "version": "==7.1.2" + "version": "==8.2.0" }, "psutil": { "hashes": [ - "sha256:1413f4158eb50e110777c4f15d7c759521703bd6beb58926f1d562da40180058", - "sha256:298af2f14b635c3c7118fd9183843f4e73e681bb6f01e12284d4d70d48a60953", - "sha256:60b86f327c198561f101a92be1995f9ae0399736b6eced8f24af41ec64fb88d4", - "sha256:685ec16ca14d079455892f25bd124df26ff9137664af445563c1bd36629b5e0e", - "sha256:73f35ab66c6c7a9ce82ba44b1e9b1050be2a80cd4dcc3352cc108656b115c74f", - "sha256:75e22717d4dbc7ca529ec5063000b2b294fc9a367f9c9ede1f65846c7955fd38", - "sha256:a02f4ac50d4a23253b68233b07e7cdb567bd025b982d5cf0ee78296990c22d9e", - "sha256:d008ddc00c6906ec80040d26dc2d3e3962109e40ad07fd8a12d0284ce5e0e4f8", - "sha256:d84029b190c8a66a946e28b4d3934d2ca1528ec94764b180f7d6ea57b0e75e26", - "sha256:e2d0c5b07c6fe5a87fa27b7855017edb0d52ee73b71e6ee368fae268605cc3f5", - "sha256:f344ca230dd8e8d5eee16827596f1c22ec0876127c28e800d7ae20ed44c4b310" + "sha256:0066a82f7b1b37d334e68697faba68e5ad5e858279fd6351c8ca6024e8d6ba64", + "sha256:02b8292609b1f7fcb34173b25e48d0da8667bc85f81d7476584d889c6e0f2131", + "sha256:0ae6f386d8d297177fd288be6e8d1afc05966878704dad9847719650e44fc49c", + "sha256:0c9ccb99ab76025f2f0bbecf341d4656e9c1351db8cc8a03ccd62e318ab4b5c6", + "sha256:0dd4465a039d343925cdc29023bb6960ccf4e74a65ad53e768403746a9207023", + "sha256:12d844996d6c2b1d3881cfa6fa201fd635971869a9da945cf6756105af73d2df", + "sha256:1bff0d07e76114ec24ee32e7f7f8d0c4b0514b3fae93e3d2aaafd65d22502394", + "sha256:245b5509968ac0bd179287d91210cd3f37add77dad385ef238b275bad35fa1c4", + "sha256:28ff7c95293ae74bf1ca1a79e8805fcde005c18a122ca983abf676ea3466362b", + "sha256:36b3b6c9e2a34b7d7fbae330a85bf72c30b1c827a4366a07443fc4b6270449e2", + "sha256:52de075468cd394ac98c66f9ca33b2f54ae1d9bff1ef6b67a212ee8f639ec06d", + "sha256:5da29e394bdedd9144c7331192e20c1f79283fb03b06e6abd3a8ae45ffecee65", + "sha256:61f05864b42fedc0771d6d8e49c35f07efd209ade09a5afe6a5059e7bb7bf83d", + "sha256:6223d07a1ae93f86451d0198a0c361032c4c93ebd4bf6d25e2fb3edfad9571ef", + "sha256:6323d5d845c2785efb20aded4726636546b26d3b577aded22492908f7c1bdda7", + "sha256:6ffe81843131ee0ffa02c317186ed1e759a145267d54fdef1bc4ea5f5931ab60", + "sha256:74f2d0be88db96ada78756cb3a3e1b107ce8ab79f65aa885f76d7664e56928f6", + "sha256:74fb2557d1430fff18ff0d72613c5ca30c45cdbfcddd6a5773e9fc1fe9364be8", + "sha256:90d4091c2d30ddd0a03e0b97e6a33a48628469b99585e2ad6bf21f17423b112b", + "sha256:90f31c34d25b1b3ed6c40cdd34ff122b1887a825297c017e4cbd6796dd8b672d", + "sha256:99de3e8739258b3c3e8669cb9757c9a861b2a25ad0955f8e53ac662d66de61ac", + "sha256:c6a5fd10ce6b6344e616cf01cc5b849fa8103fbb5ba507b6b2dee4c11e84c935", + "sha256:ce8b867423291cb65cfc6d9c4955ee9bfc1e21fe03bb50e177f2b957f1c2469d", + "sha256:d225cd8319aa1d3c85bf195c4e07d17d3cd68636b8fc97e6cf198f782f99af28", + "sha256:ea313bb02e5e25224e518e4352af4bf5e062755160f77e4b1767dd5ccb65f876", + "sha256:ea372bcc129394485824ae3e3ddabe67dc0b118d262c568b4d2602a7070afdb0", + "sha256:f4634b033faf0d968bb9220dd1c793b897ab7f1189956e1aa9eae752527127d3", + "sha256:fcc01e900c1d7bee2a37e5d6e4f9194760a93597c97fee89c4ae51701de03563" ], - "version": "==5.7.0" + "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==5.8.0" }, "psycopg2": { "hashes": [ - "sha256:132efc7ee46a763e68a815f4d26223d9c679953cd190f1f218187cb60decf535", - "sha256:2327bf42c1744a434ed8ed0bbaa9168cac7ee5a22a9001f6fc85c33b8a4a14b7", - "sha256:27c633f2d5db0fc27b51f1b08f410715b59fa3802987aec91aeb8f562724e95c", - "sha256:2c0afb40cfb4d53487ee2ebe128649028c9a78d2476d14a67781e45dc287f080", - "sha256:2df2bf1b87305bd95eb3ac666ee1f00a9c83d10927b8144e8e39644218f4cf81", - "sha256:440a3ea2c955e89321a138eb7582aa1d22fe286c7d65e26a2c5411af0a88ae72", - "sha256:6a471d4d2a6f14c97a882e8d3124869bc623f3df6177eefe02994ea41fd45b52", - "sha256:6b306dae53ec7f4f67a10942cf8ac85de930ea90e9903e2df4001f69b7833f7e", - "sha256:a0984ff49e176062fcdc8a5a2a670c9bb1704a2f69548bce8f8a7bad41c661bf", - "sha256:ac5b23d0199c012ad91ed1bbb971b7666da651c6371529b1be8cbe2a7bf3c3a9", - "sha256:acf56d564e443e3dea152efe972b1434058244298a94348fc518d6dd6a9fb0bb", - "sha256:d3b29d717d39d3580efd760a9a46a7418408acebbb784717c90d708c9ed5f055", - "sha256:f7d46240f7a1ae1dd95aab38bd74f7428d46531f69219954266d669da60c0818" + "sha256:079d97fc22de90da1d370c90583659a9f9a6ee4007355f5825e5f1c70dffc1fa", + "sha256:2087013c159a73e09713294a44d0c8008204d06326006b7f652bef5ace66eebb", + "sha256:2c992196719fadda59f72d44603ee1a2fdcc67de097eea38d41c7ad9ad246e62", + "sha256:7640e1e4d72444ef012e275e7b53204d7fab341fb22bc76057ede22fe6860b25", + "sha256:7f91312f065df517187134cce8e395ab37f5b601a42446bdc0f0d51773621854", + "sha256:830c8e8dddab6b6716a4bf73a09910c7954a92f40cf1d1e702fb93c8a919cc56", + "sha256:89409d369f4882c47f7ea20c42c5046879ce22c1e4ea20ef3b00a4dfc0a7f188", + "sha256:bf35a25f1aaa8a3781195595577fcbb59934856ee46b4f252f56ad12b8043bcf", + "sha256:de5303a6f1d0a7a34b9d40e4d3bef684ccc44a49bbe3eb85e3c0bffb4a131b7c" ], - "version": "==2.8.5" + "markers": "python_version >= '3.6'", + "version": "==2.9.1" }, "psycopg2-binary": { "hashes": [ - "sha256:008da3ab51adc70a5f1cfbbe5db3a22607ab030eb44bcecf517ad11a0c2b3cac", - "sha256:07cf82c870ec2d2ce94d18e70c13323c89f2f2a2628cbf1feee700630be2519a", - "sha256:08507efbe532029adee21b8d4c999170a83760d38249936038bd0602327029b5", - "sha256:107d9be3b614e52a192719c6bf32e8813030020ea1d1215daa86ded9a24d8b04", - "sha256:17a0ea0b0eabf07035e5e0d520dabc7950aeb15a17c6d36128ba99b2721b25b1", - "sha256:3286541b9d85a340ee4ed42732d15fc1bb441dc500c97243a768154ab8505bb5", - "sha256:3939cf75fc89c5e9ed836e228c4a63604dff95ad19aed2bbf71d5d04c15ed5ce", - "sha256:40abc319f7f26c042a11658bf3dd3b0b3bceccf883ec1c565d5c909a90204434", - "sha256:51f7823f1b087d2020d8e8c9e6687473d3d239ba9afc162d9b2ab6e80b53f9f9", - "sha256:6bb2dd006a46a4a4ce95201f836194eb6a1e863f69ee5bab506673e0ca767057", - "sha256:702f09d8f77dc4794651f650828791af82f7c2efd8c91ae79e3d9fe4bb7d4c98", - "sha256:7036ccf715925251fac969f4da9ad37e4b7e211b1e920860148a10c0de963522", - "sha256:7b832d76cc65c092abd9505cc670c4e3421fd136fb6ea5b94efbe4c146572505", - "sha256:8f74e631b67482d504d7e9cf364071fc5d54c28e79a093ff402d5f8f81e23bfa", - "sha256:930315ac53dc65cbf52ab6b6d27422611f5fb461d763c531db229c7e1af6c0b3", - "sha256:96d3038f5bd061401996614f65d27a4ecb62d843eb4f48e212e6d129171a721f", - "sha256:a20299ee0ea2f9cca494396ac472d6e636745652a64a418b39522c120fd0a0a4", - "sha256:a34826d6465c2e2bbe9d0605f944f19d2480589f89863ed5f091943be27c9de4", - "sha256:a69970ee896e21db4c57e398646af9edc71c003bc52a3cc77fb150240fefd266", - "sha256:b9a8b391c2b0321e0cd7ec6b4cfcc3dd6349347bd1207d48bcb752aa6c553a66", - "sha256:ba13346ff6d3eb2dca0b6fa0d8a9d999eff3dcd9b55f3a890f12b0b6362b2b38", - "sha256:bb0608694a91db1e230b4a314e8ed00ad07ed0c518f9a69b83af2717e31291a3", - "sha256:c8830b7d5f16fd79d39b21e3d94f247219036b29b30c8270314c46bf8b732389", - "sha256:cac918cd7c4c498a60f5d2a61d4f0a6091c2c9490d81bc805c963444032d0dab", - "sha256:cc30cb900f42c8a246e2cb76539d9726f407330bc244ca7729c41a44e8d807fb", - "sha256:ccdc6a87f32b491129ada4b87a43b1895cf2c20fdb7f98ad979647506ffc41b6", - "sha256:d1a8b01f6a964fec702d6b6dac1f91f2b9f9fe41b310cbb16c7ef1fac82df06d", - "sha256:e004db88e5a75e5fdab1620fb9f90c9598c2a195a594225ac4ed2a6f1c23e162", - "sha256:eb2f43ae3037f1ef5e19339c41cf56947021ac892f668765cd65f8ab9814192e", - "sha256:fa466306fcf6b39b8a61d003123d442b23707d635a5cb05ac4e1b62cc79105cd" + "sha256:0b7dae87f0b729922e06f85f667de7bf16455d411971b2043bbd9577af9d1975", + "sha256:0f2e04bd2a2ab54fa44ee67fe2d002bb90cee1c0f1cc0ebc3148af7b02034cbd", + "sha256:123c3fb684e9abfc47218d3784c7b4c47c8587951ea4dd5bc38b6636ac57f616", + "sha256:1473c0215b0613dd938db54a653f68251a45a78b05f6fc21af4326f40e8360a2", + "sha256:14db1752acdd2187d99cb2ca0a1a6dfe57fc65c3281e0f20e597aac8d2a5bd90", + "sha256:1e3a362790edc0a365385b1ac4cc0acc429a0c0d662d829a50b6ce743ae61b5a", + "sha256:1e85b74cbbb3056e3656f1cc4781294df03383127a8114cbc6531e8b8367bf1e", + "sha256:20f1ab44d8c352074e2d7ca67dc00843067788791be373e67a0911998787ce7d", + "sha256:2f62c207d1740b0bde5c4e949f857b044818f734a3d57f1d0d0edc65050532ed", + "sha256:3242b9619de955ab44581a03a64bdd7d5e470cc4183e8fcadd85ab9d3756ce7a", + "sha256:35c4310f8febe41f442d3c65066ca93cccefd75013df3d8c736c5b93ec288140", + "sha256:4235f9d5ddcab0b8dbd723dca56ea2922b485ea00e1dafacf33b0c7e840b3d32", + "sha256:5ced67f1e34e1a450cdb48eb53ca73b60aa0af21c46b9b35ac3e581cf9f00e31", + "sha256:7360647ea04db2e7dff1648d1da825c8cf68dc5fbd80b8fb5b3ee9f068dcd21a", + "sha256:8c13d72ed6af7fd2c8acbd95661cf9477f94e381fce0792c04981a8283b52917", + "sha256:988b47ac70d204aed01589ed342303da7c4d84b56c2f4c4b8b00deda123372bf", + "sha256:995fc41ebda5a7a663a254a1dcac52638c3e847f48307b5416ee373da15075d7", + "sha256:a36c7eb6152ba5467fb264d73844877be8b0847874d4822b7cf2d3c0cb8cdcb0", + "sha256:aed4a9a7e3221b3e252c39d0bf794c438dc5453bc2963e8befe9d4cd324dff72", + "sha256:aef9aee84ec78af51107181d02fe8773b100b01c5dfde351184ad9223eab3698", + "sha256:b0221ca5a9837e040ebf61f48899926b5783668b7807419e4adae8175a31f773", + "sha256:b4d7679a08fea64573c969f6994a2631908bb2c0e69a7235648642f3d2e39a68", + "sha256:c250a7ec489b652c892e4f0a5d122cc14c3780f9f643e1a326754aedf82d9a76", + "sha256:ca86db5b561b894f9e5f115d6a159fff2a2570a652e07889d8a383b5fae66eb4", + "sha256:cfc523edecddaef56f6740d7de1ce24a2fdf94fd5e704091856a201872e37f9f", + "sha256:da113b70f6ec40e7d81b43d1b139b9db6a05727ab8be1ee559f3a69854a69d34", + "sha256:f6fac64a38f6768e7bc7b035b9e10d8a538a9fadce06b983fb3e6fa55ac5f5ce", + "sha256:f8559617b1fcf59a9aedba2c9838b5b6aa211ffedecabca412b92a1ff75aac1a", + "sha256:fbb42a541b1093385a2d8c7eec94d26d30437d0e77c1d25dae1dcc46741a385e" ], "index": "pypi", - "version": "==2.8.5" + "version": "==2.9.1" }, "puput": { "hashes": [ - "sha256:7562bd70b0cbeedb02b0991b72ce7a947b4167bb23dc5fe20d7b38f399bc7f95" + "sha256:01749d0c1cf9680313691ec6ddb7c5123e1a8d18d894499c93ceba34262b9a55", + "sha256:a0c8df9d2be2ab85a78d22a7d245e6bddbff085244e7eaa6815e7930f6944225" ], "index": "pypi", - "version": "==1.1.0" + "version": "==1.1.1" }, "python-dotenv": { "hashes": [ - "sha256:25c0ff1a3e12f4bde8d592cc254ab075cfe734fc5dd989036716fd17ee7e5ec7", - "sha256:3b9909bc96b0edc6b01586e1eed05e71174ef4e04c71da5786370cebea53ad74" + "sha256:dd8fe852847f4fbfadabf6183ddd4c824a9651f02d51714fa075c95561959c7d", + "sha256:effaac3c1e58d89b3ccb4d04a40dc7ad6e0275fda25fd75ae9d323e2465e202d" ], "index": "pypi", - "version": "==0.13.0" + "version": "==0.18.0" }, "pytz": { "hashes": [ - "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed", - "sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048" + "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", + "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" ], - "version": "==2020.1" + "version": "==2021.1" }, "pyyaml": { "hashes": [ - "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97", - "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76", - "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2", - "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648", - "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf", - "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f", - "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2", - "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee", - "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d", - "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c", - "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a" + "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", + "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", + "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", + "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", + "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", + "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", + "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", + "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", + "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", + "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", + "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", + "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", + "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347", + "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", + "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541", + "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", + "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", + "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc", + "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", + "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa", + "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", + "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122", + "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", + "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", + "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", + "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc", + "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247", + "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6", + "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0" ], - "version": "==5.3.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", + "version": "==5.4.1" }, "rcssmin": { "hashes": [ @@ -409,17 +552,19 @@ }, "redis": { "hashes": [ - "sha256:2ef11f489003f151777c064c5dbc6653dfb9f3eade159bcadc524619fddc2242", - "sha256:6d65e84bc58091140081ee9d9c187aab0480097750fac44239307a3bdf0b1251" + "sha256:0e7e0cfca8660dea8b7d5cd8c4f6c5e29e11f31158c0b0ae91a397f00e5a05a2", + "sha256:432b788c4530cfe16d8d943a09d40ca6c16149727e4afe8c2c9d5580c59d9f24" ], - "version": "==3.5.2" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==3.5.3" }, "requests": { "hashes": [ - "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee", - "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6" + "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", + "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" ], - "version": "==2.23.0" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==2.25.1" }, "rjsmin": { "hashes": [ @@ -441,70 +586,78 @@ }, "schema": { "hashes": [ - "sha256:3a03c2e2b22e6a331ae73750ab1da46916da6ca861b16e6f073ac1d1eba43b71", - "sha256:b536f2375b49fdf56f36279addae98bd86a8afbd58b3c32ce363c464bed5fc1c" + "sha256:cf97e4cd27e203ab6bb35968532de1ed8991bce542a646f0ff1d643629a4945d", + "sha256:fbb6a52eb2d9facf292f233adcc6008cffd94343c63ccac9a1cb1f3e6de1db17" ], - "version": "==0.7.2" + "version": "==0.7.4" }, "six": { "hashes": [ - "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", - "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" + "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "version": "==1.15.0" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==1.16.0" }, "soupsieve": { "hashes": [ - "sha256:1634eea42ab371d3d346309b93df7870a88610f0725d47528be902a0d95ecc55", - "sha256:a59dc181727e95d25f781f0eb4fd1825ff45590ec8ff49eadfd7f1a537cc0232" + "sha256:052774848f448cf19c7e959adf5566904d525f33a3f8b6ba6f6f8f26ec7de0cc", + "sha256:c2c1c2d44f158cdbddab7824a9af8c4f83c76b1e23e049479aa432feb6c4c23b" ], - "version": "==2.0.1" + "markers": "python_version >= '3.6'", + "version": "==2.2.1" }, "sqlalchemy": { "hashes": [ - "sha256:128bc917ed20d78143a45024455ff0aed7d3b96772eba13d5dbaf9cc57e5c41b", - "sha256:156a27548ba4e1fed944ff9fcdc150633e61d350d673ae7baaf6c25c04ac1f71", - "sha256:27e2efc8f77661c9af2681755974205e7462f1ae126f498f4fe12a8b24761d15", - "sha256:2a12f8be25b9ea3d1d5b165202181f2b7da4b3395289000284e5bb86154ce87c", - "sha256:31c043d5211aa0e0773821fcc318eb5cbe2ec916dfbc4c6eea0c5188971988eb", - "sha256:65eb3b03229f684af0cf0ad3bcc771970c1260a82a791a8d07bffb63d8c95bcc", - "sha256:6cd157ce74a911325e164441ff2d9b4e244659a25b3146310518d83202f15f7a", - "sha256:703c002277f0fbc3c04d0ae4989a174753a7554b2963c584ce2ec0cddcf2bc53", - "sha256:869bbb637de58ab0a912b7f20e9192132f9fbc47fc6b5111cd1e0f6cdf5cf9b0", - "sha256:8a0e0cd21da047ea10267c37caf12add400a92f0620c8bc09e4a6531a765d6d7", - "sha256:8d01e949a5d22e5c4800d59b50617c56125fc187fbeb8fa423e99858546de616", - "sha256:925b4fe5e7c03ed76912b75a9a41dfd682d59c0be43bce88d3b27f7f5ba028fb", - "sha256:9cb1819008f0225a7c066cac8bb0cf90847b2c4a6eb9ebb7431dbd00c56c06c5", - "sha256:a87d496884f40c94c85a647c385f4fd5887941d2609f71043e2b73f2436d9c65", - "sha256:a9030cd30caf848a13a192c5e45367e3c6f363726569a56e75dc1151ee26d859", - "sha256:a9e75e49a0f1583eee0ce93270232b8e7bb4b1edc89cc70b07600d525aef4f43", - "sha256:b50f45d0e82b4562f59f0e0ca511f65e412f2a97d790eea5f60e34e5f1aabc9a", - "sha256:b7878e59ec31f12d54b3797689402ee3b5cfcb5598f2ebf26491732758751908", - "sha256:ce1ddaadee913543ff0154021d31b134551f63428065168e756d90bdc4c686f5", - "sha256:ce2646e4c0807f3461be0653502bb48c6e91a5171d6e450367082c79e12868bf", - "sha256:ce6c3d18b2a8ce364013d47b9cad71db815df31d55918403f8db7d890c9d07ae", - "sha256:e4e2664232005bd306f878b0f167a31f944a07c4de0152c444f8c61bbe3cfb38", - "sha256:e8aa395482728de8bdcca9cc0faf3765ab483e81e01923aaa736b42f0294f570", - "sha256:eb4fcf7105bf071c71068c6eee47499ab8d4b8f5a11fc35147c934f0faa60f23", - "sha256:ed375a79f06cad285166e5be74745df1ed6845c5624aafadec4b7a29c25866ef", - "sha256:f35248f7e0d63b234a109dd72fbfb4b5cb6cb6840b221d0df0ecbf54ab087654", - "sha256:f502ef245c492b391e0e23e94cba030ab91722dcc56963c85bfd7f3441ea2bbe", - "sha256:fe01bac7226499aedf472c62fa3b85b2c619365f3f14dd222ffe4f3aa91e5f98" + "sha256:0653d444d52f2b9a0cba1ea5cd0fc64e616ee3838ee86c1863781b2a8670fc0c", + "sha256:146af9e67d0f821b28779d602372e65d019db01532d8f7101e91202d447c14ec", + "sha256:2129d33b54da4d4771868a3639a07f461adc5887dbd9e0a80dbf560272245525", + "sha256:284b6df04bc30e886998e0fdbd700ef9ffb83bcb484ffc54d4084959240dce91", + "sha256:3690fc0fc671419debdae9b33df1434ac9253155fd76d0f66a01f7b459d56ee6", + "sha256:3a6afb7a55374329601c8fcad277f0a47793386255764431c8f6a231a6947ee9", + "sha256:45bbb935b305e381bcb542bf4d952232282ba76881e3458105e4733ba0976060", + "sha256:495cce8174c670f1d885e2259d710b0120888db2169ea14fc32d1f72e7950642", + "sha256:4cdc91bb3ee5b10e24ec59303131b791f3f82caa4dd8b36064d1918b0f4d0de4", + "sha256:4f375c52fed5f2ecd06be18756f121b3167a1fdc4543d877961fba04b1713214", + "sha256:56958dd833145f1aa75f8987dfe0cf6f149e93aa31967b7004d4eb9cb579fefc", + "sha256:5b827d3d1d982b38d2bab551edf9893c4734b5db9b852b28d3bc809ea7e179f6", + "sha256:5c62fff70348e3f8e4392540d31f3b8c251dc8eb830173692e5d61896d4309d6", + "sha256:5d4b2c23d20acf631456e645227cef014e7f84a111118d530cfa1d6053fd05a9", + "sha256:60cfe1fb59a34569816907cb25bb256c9490824679c46777377bcc01f6813a81", + "sha256:664c6cc84a5d2bad2a4a3984d146b6201b850ba0a7125b2fcd29ca06cddac4b1", + "sha256:70674f2ff315a74061da7af1225770578d23f4f6f74dd2e1964493abd8d804bc", + "sha256:77549e5ae996de50ad9f69f863c91daf04842b14233e133335b900b152bffb07", + "sha256:8924d552decf1a50d57dca4984ebd0778a55ca2cb1c0ef16df8c1fed405ff290", + "sha256:93394d68f02ecbf8c0a4355b6452793000ce0ee7aef79d2c85b491da25a88af7", + "sha256:9a62b06ad450386a2e671d0bcc5cd430690b77a5cd41c54ede4e4bf46d7a4978", + "sha256:c824d14b52000597dfcced0a4e480fd8664b09fed606e746a2c67fe5fbe8dfd9", + "sha256:cc474d0c40cef94d9b68980155d686d5ad43a9ca0834a8729052d3585f289d57", + "sha256:d25210f5f1a6b7b6b357d8fa199fc1d5be828c67cc1af517600c02e5b2727e4c", + "sha256:d76abceeb6f7c564fdbc304b1ce17ec59664ca7ed0fe6dbc6fc6a960c91370e3", + "sha256:e2aa39fdf5bff1c325a8648ac1957a0320c66763a3fa5f0f4a02457b2afcf372", + "sha256:eba098a4962e1ab0d446c814ae67e30da82c446b382cf718306cc90d4e2ad85f", + "sha256:ee3428f6100ff2b07e7ecec6357d865a4d604c801760094883587ecdbf8a3533", + "sha256:f3357948fa439eb5c7241a8856738605d7ab9d9f276ca5c5cc3220455a5f8e6c", + "sha256:ffb18eb56546aa66640fef831e5d0fe1a8dfbf11cdf5b00803826a01dbbbf3b1" ], - "version": "==1.3.17" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", + "version": "==1.4.18" }, "sqlalchemy-utils": { "hashes": [ - "sha256:7a7fab14bed80df065412bbf71a0a9b0bfeb4b7c111c2d9bffe57283082f3a6b" + "sha256:716d9d9592258db9651a511d03e6b2553242c2a440855ee3f7d5812bbb55d9eb", + "sha256:afd204ed051f53302cd8789cc29c9b15bf458f8baef14a9052bf2823f855d2cb" ], - "version": "==0.36.6" + "markers": "python_version ~= '3.4'", + "version": "==0.37.7" }, "sqlparse": { "hashes": [ - "sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e", - "sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548" + "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0", + "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8" ], - "version": "==0.3.1" + "markers": "python_version >= '3.5'", + "version": "==0.4.1" }, "static3": { "hashes": [ @@ -519,27 +672,33 @@ "index": "pypi", "version": "==0.4.5" }, - "unidecode": { - "hashes": [ - "sha256:1d7a042116536098d05d599ef2b8616759f02985c85b4fef50c78a5aaf10822a", - "sha256:2b6aab710c2a1647e928e36d69c21e76b453cd455f4e2621000e54b2a9b8cce8" + "tablib": { + "extras": [ + "xls", + "xlsx" ], - "version": "==1.1.1" + "hashes": [ + "sha256:41aa40981cddd7ec4d1fabeae7c38d271601b306386bd05b5c3bcae13e5aeb20", + "sha256:f83cac08454f225a34a305daa20e2110d5e6335135d505f93bc66583a5f9c10d" + ], + "markers": "python_version >= '3.6'", + "version": "==3.0.0" }, "urllib3": { "hashes": [ - "sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527", - "sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], - "version": "==1.25.9" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", + "version": "==1.26.5" }, "wagtail": { "hashes": [ - "sha256:23c5514d530ad2dbe81360e53abd38cfe4b42671e03018a9dd95ee941b4327f4", - "sha256:ec5305aba6bf75ca9313287ddf159b43ac4e7cdff771cfe0a9413b481baa433f" + "sha256:4b866d9cfbfb15b0ca4482761afea3b12a1b3a5c5d8834e045cc9aa492decba7", + "sha256:93afb1c8c1dae6261ba54a65ceabf7a8d20fe43ae20ceb2ae6956e69aa1963bd" ], "index": "pypi", - "version": "==2.9" + "version": "==2.12.5" }, "webencodings": { "hashes": [ @@ -550,25 +709,39 @@ }, "whitenoise": { "hashes": [ - "sha256:60154b976a13901414a25b0273a841145f77eb34a141f9ae032a0ace3e4d5b27", - "sha256:6dd26bfda3af29177d8ab7333a0c7b7642eb615ce83764f4d15a9aecda3201c4" + "sha256:05ce0be39ad85740a78750c86a93485c40f08ad8c62a6006de0233765996e5c7", + "sha256:05d00198c777028d72d8b0bbd234db605ef6d60e9410125124002518a48e515d" ], "index": "pypi", - "version": "==5.1.0" + "version": "==5.2.0" }, "willow": { "hashes": [ - "sha256:4f84c46f65b6a1982e63dbd4d94c6bae705ff21f839164c31e105c3e251bec37", - "sha256:8897a6827c0bb7dee2ac908af53f0d358720bd6032ed20bab3175507e34d739a" + "sha256:698f755fc6bfb8984ac8550f470a0cb630ec1e628287475315d4d1e7595d7337", + "sha256:cde01e054c510284ac3459d6b531e1653a58e33a735706ac27905a94fe81742c" ], - "version": "==1.3" + "version": "==1.4" + }, + "xlrd": { + "hashes": [ + "sha256:6a33ee89877bd9abc1158129f6e94be74e2679636b8a205b43b85206c3f0bbdd", + "sha256:f72f148f54442c6b056bf931dbc34f986fd0c3b0b6b5a58d013c9aef274d0c88" + ], + "version": "==2.0.1" }, "xlsxwriter": { "hashes": [ - "sha256:488e1988ab16ff3a9cd58c7656d0a58f8abe46ee58b98eecea78c022db28656b", - "sha256:97ab487b81534415c5313154203f3e8a637d792b1e6a8201e8f7f71da0203c2a" + "sha256:1a7fac99687020e76aa7dd0d7de4b9b576547ed748e5cd91a99d52a6df54ca16", + "sha256:641db6e7b4f4982fd407a3f372f45b878766098250d26963e95e50121168cbe2" ], - "version": "==1.2.8" + "version": "==1.4.3" + }, + "xlwt": { + "hashes": [ + "sha256:a082260524678ba48a297d922cc385f58278b8aa68741596a87de01a9c628b2e", + "sha256:c59912717a9b28f1a3c2a98fd60741014b06b043936dcecbc113eaaada156c88" + ], + "version": "==1.3.0" } }, "develop": { @@ -581,39 +754,42 @@ }, "asgiref": { "hashes": [ - "sha256:8036f90603c54e93521e5777b2b9a39ba1bad05773fcf2d208f0299d1df58ce5", - "sha256:9ca8b952a0a9afa61d30aa6d3d9b570bb3fd6bafcf7ec9e6bed43b936133db1c" + "sha256:92906c611ce6c967347bbfea733f13d6313901d54dcca88195eaeb52b2a8e8ee", + "sha256:d1216dfbdfb63826470995d31caed36225dcaf34f182e0fa257a4dd9e86f1b78" ], - "version": "==3.2.7" + "markers": "python_version >= '3.6'", + "version": "==3.3.4" }, "attrs": { "hashes": [ - "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c", - "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72" + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], - "version": "==19.3.0" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==21.2.0" }, "distlib": { "hashes": [ - "sha256:2e166e231a26b36d6dfe35a48c4464346620f8645ed0ace01ee31822b288de21" + "sha256:106fef6dc37dd8c0e2c0a60d3fca3e77460a48907f335fa28420463a6f799736", + "sha256:23e223426b28491b1ced97dc3bbe183027419dfc7982b4fa2f05d5f3ff10711c" ], - "version": "==0.3.0" + "version": "==0.3.2" }, "django": { "hashes": [ - "sha256:69897097095f336d5aeef45b4103dceae51c00afa6d3ae198a2a18e519791b7a", - "sha256:6ecd229e1815d4fc5240fc98f1cca78c41e7a8cd3e3f2eefadc4735031077916" + "sha256:3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7", + "sha256:f2084ceecff86b1e631c2cd4107d435daf4e12f1efcdf11061a73bf0b5e95f92" ], "index": "pypi", - "version": "==2.2.12" + "version": "==2.2.24" }, "django-debug-toolbar": { "hashes": [ - "sha256:eabbefe89881bbe4ca7c980ff102e3c35c8e8ad6eb725041f538988f2f39a943", - "sha256:ff94725e7aae74b133d0599b9bf89bd4eb8f5d2c964106e61d11750228c8774c" + "sha256:a5ff2a54f24bf88286f9872836081078f4baa843dc3735ee88524e89f8821e33", + "sha256:e759e63e3fe2d3110e0e519639c166816368701eab4a47fed75d7de7018467b9" ], "index": "pypi", - "version": "==2.2" + "version": "==3.2.1" }, "filelock": { "hashes": [ @@ -622,70 +798,66 @@ ], "version": "==3.0.12" }, - "importlib-metadata": { + "iniconfig": { "hashes": [ - "sha256:2a688cbaa90e0cc587f1df48bdc97a6eadccdcd9c35fb3f976a09e3b5016d90f", - "sha256:34513a8a0c4962bc66d35b359558fd8a5e10cd472d37aec5f66858addef32c1e" + "sha256:011e24c64b7f47f6ebd835bb12a743f2fbe9a26d4cecaa7f53bc4f35ee9da8b3", + "sha256:bc3af051d7d14b2ee5ef9969666def0cd1a000e121eaea580d4a313df4b37f32" ], - "markers": "python_version < '3.8'", - "version": "==1.6.0" - }, - "more-itertools": { - "hashes": [ - "sha256:558bb897a2232f5e4f8e2399089e35aecb746e1f9191b6584a151647e89267be", - "sha256:7818f596b1e87be009031c7653d01acc46ed422e6656b394b0f765ce66ed4982" - ], - "version": "==8.3.0" + "version": "==1.1.1" }, "packaging": { "hashes": [ - "sha256:4357f74f47b9c12db93624a82154e9b120fa8293699949152b22065d556079f8", - "sha256:998416ba6962ae7fbd6596850b80e17859a5753ba17c32284f67bfff33784181" + "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5", + "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a" ], - "version": "==20.4" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==20.9" }, "pluggy": { "hashes": [ "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0", "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d" ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==0.13.1" }, "py": { "hashes": [ - "sha256:5e27081401262157467ad6e7f851b7aa402c5852dbcb3dae06768434de5752aa", - "sha256:c20fdd83a5dbc0af9efd622bee9a5564e278f6380fffcacc43ba6f43db2813b0" + "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", + "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" ], - "version": "==1.8.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==1.10.0" }, "pyparsing": { "hashes": [ "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" ], + "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.4.7" }, "pytest": { "hashes": [ - "sha256:95c710d0a72d91c13fae35dce195633c929c3792f54125919847fdcdf7caa0d3", - "sha256:eb2b5e935f6a019317e455b6da83dd8650ac9ffd2ee73a7b657a30873d67a698" + "sha256:50bcad0a0b9c5a72c8e4e7c9855a3ad496ca6a881a3641b4260605450772c54b", + "sha256:91ef2131a9bd6be8f76f1f08eac5c5317221d6ad1e143ae03894b862e8976890" ], "index": "pypi", - "version": "==5.4.2" + "version": "==6.2.4" }, "pytest-splinter": { "hashes": [ - "sha256:8725c2305334aa2eaefcbf158b57abe7d49e7e1f21e45df96900f30c02afd55a" + "sha256:16d93db719bcad19342935c1707b5c3ec7e34d9ae10df683f6fc2e9e982ddb39" ], "index": "pypi", - "version": "==2.0.1" + "version": "==3.3.1" }, "pytz": { "hashes": [ - "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed", - "sha256:c35965d010ce31b23eeb663ed3cc8c906275d6be1a34393a1d73a41febf4a048" + "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", + "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" ], - "version": "==2020.1" + "version": "==2021.1" }, "selenium": { "hashes": [ @@ -696,67 +868,58 @@ }, "six": { "hashes": [ - "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259", - "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced" + "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "version": "==1.15.0" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==1.16.0" }, "splinter": { "hashes": [ - "sha256:62b5876757f0ac09324a7d5e5f94886110219c2b85300516ec39a914d7992d91", - "sha256:9e92535f273622507ac157612c3bb0e9cee7b5ccd2aa097d47b408e34c2ca356" + "sha256:459e39e7a9f7572db6f1cdb5fdc5ccfc6404f021dccb969ee6287be2386a40db", + "sha256:7e5e69c5b76ada909283465cdc3636e2632f7e557932ce96ab9c0432b0b32f7f" ], - "version": "==0.13.0" + "version": "==0.14.0" }, "sqlparse": { "hashes": [ - "sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e", - "sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548" + "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0", + "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8" ], - "version": "==0.3.1" + "markers": "python_version >= '3.5'", + "version": "==0.4.1" }, "toml": { "hashes": [ - "sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f", - "sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88" + "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", + "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f" ], - "version": "==0.10.1" + "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==0.10.2" }, "tox": { "hashes": [ - "sha256:322dfdf007d7d53323f767badcb068a5cfa7c44d8aabb698d131b28cf44e62c4", - "sha256:8c9ad9b48659d291c5bc78bcabaa4d680d627687154b812fa52baedaa94f9f83" + "sha256:307a81ddb82bd463971a273f33e9533a24ed22185f27db8ce3386bff27d324e3", + "sha256:b0b5818049a1c1997599d42012a637a33f24c62ab8187223fdd318fa8522637b" ], "index": "pypi", - "version": "==3.15.1" + "version": "==3.23.1" }, "urllib3": { "hashes": [ - "sha256:3018294ebefce6572a474f0604c2021e33b3fd8006ecd11d62107a5d2a963527", - "sha256:88206b0eb87e6d677d424843ac5209e3fb9d0190d0ee169599165ec25e9d9115" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], - "version": "==1.25.9" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", + "version": "==1.26.5" }, "virtualenv": { "hashes": [ - "sha256:a116629d4e7f4d03433b8afa27f43deba09d48bc48f5ecefa4f015a178efb6cf", - "sha256:a730548b27366c5e6cbdf6f97406d861cccece2e22275e8e1a757aeff5e00c70" + "sha256:14fdf849f80dbb29a4eb6caa9875d476ee2a5cf76a5f5415fa2f1606010ab467", + "sha256:2b0126166ea7c9c3661f5b8e06773d28f83322de7a3ff7d06f0aed18c9de6a76" ], - "version": "==20.0.21" - }, - "wcwidth": { - "hashes": [ - "sha256:cafe2186b3c009a04067022ce1dcd79cb38d8d65ee4f4791b8888d6599d1bbe1", - "sha256:ee73862862a156bf77ff92b09034fc4825dd3af9cf81bc5b360668d425f3c5f1" - ], - "version": "==0.1.9" - }, - "zipp": { - "hashes": [ - "sha256:aa36550ff0c0b7ef7fa639055d797116ee891440eac1a56f378e2d3179e0320b", - "sha256:c599e4d75c98f6798c509911d08a22e6c021d074469042177c8c86fb92eefd96" - ], - "version": "==3.1.0" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==20.4.7" } } } diff --git a/README.md b/README.md index d1b33c5..6810a51 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ To set up a full development environment, follow all these instructions. **Frontend setup** -Make sure a recent version of node.js (we recommend using [nave.sh](https://gipublichealth/static/org/archive-message.htmlthub.com/isaacs/nave)), then: +Use the LTS version of node.js (we recommend using [nave.sh](https://gipublichealth/static/org/archive-message.htmlthub.com/isaacs/nave) with `nave use lts`), then: ``` npm install -g yarn grunt-cli @@ -32,10 +32,16 @@ If you are only working on the frontend, you can start a local webserver and wor **Backend setup** -If not using Vagrant: after installing Python 3, from the project folder, deploy system packages and create a virtual environment as detailed (for Ubuntu users) below: +If not using Vagrant: after installing Python 3, from the project folder, deploy system packages (here shown for Ubuntu users) for the development libraries of Python, libJPEG and libPQ (Postgres Client): ``` -sudo apt-get install python3-venv python3-dev libjpeg-dev +sudo apt-get install python3-dev libjpeg-dev libpq-dev +``` + +Create a virtual environment as below: + +``` +sudo apt-get install python3-venv pyvenv env . env/bin/activate @@ -77,7 +83,14 @@ Now access the admin panel with the user account you created earlier: http://loc ## Troubleshooting -- Issues with migrating database tables in SQLite during development? Try `./manage.py migrate --fake` +Issues with migrating database tables in SQLite during development? Try `./manage.py migrate --fake` + +Trouble installing packages with npm or yarn? Add IPv6 addresses to your hosts: + + 2606:4700:10::6814:162e nodejs.org + 2606:4700::6810:1823 registry.npmjs.org + 2606:4700::6810:1123 registry.yarnpkg.com + 2a0a:e5c0:2:10::8c52:790a codeload.github.com ## Production notes @@ -85,58 +98,46 @@ We use [Ansible](https://www.ansible.com) and [Docker Compose](https://docs.dock To use Docker Compose to manually deploy the site, copy `ansible/roles/web/templates/docker-compose.j2` to `/docker-compose.yml` and fill in all `{{ variables }}`. This can also be done automatically in Ansible. -Install or update the following roles from [Ansible Galaxy](https://docs.ansible.com/ansible/latest/reference_appendices/galaxy.html) to use our scripts: +To update all roles from [Ansible Galaxy](https://docs.ansible.com/ansible/latest/reference_appendices/galaxy.html) used in our install scripts: ``` -ansible-galaxy install \ - dev-sec.nginx-hardening \ - dev-sec.ssh-hardening \ - dev-sec.os-hardening \ - geerlingguy.nodejs +ansible-galaxy install `ls ansible/roles -x -I wagtail` --force ``` To check that the scripts and roles are correctly installed, use this command to do a "dry run": ``` -ansible-playbook ansible/*.yaml -i ansible/inventories/production --list-tasks +ansible-playbook ansible/*.yaml -i ansible/inventories/lagoon --list-tasks ``` If you only want to run a certain set of actions, subset the tags which you see in the output above. For example, to only update the NGINX configuration: ``` -ansible-playbook ansible/web.yaml -i ansible/inventories/production --tags "nginx_template_config" +ansible-playbook ansible/web.yaml -i ansible/inventories/lagoon --tags "nginx_template_config" ``` To do production deployments, you need to obtain SSH and vault keys from your system administrator (who has followed the Ansible guide to set up a vault..), and place these in a `.keys` folder. To deploy a site: ``` -ansible-playbook ansible/*.yaml -i ansible/inventories/production +ansible-playbook ansible/*.yaml -i ansible/inventories/lagoon ``` For an update release with a specific version (tag or branch), use (the `-v` parameter showing output of commands): ``` -ansible-playbook ansible/site.yaml -i ansible/inventories/production --tags release -v -e gitversion= +ansible-playbook ansible/site.yaml -i ansible/inventories/lagoon --tags release -v -e gitversion= ``` You can also use the `gitrepo` parameter to use a different fork of the source code. Once the basic system set up, i.e. you have an `ansible` user in the sudoers and docker group, you are ready to run the playbook. -The typical order of deployment is: - -- internet.yaml -- docker.yaml -- node.yaml -- web.yaml -- wagtail.yaml - ### Production releases For further deployment and system maintenance we have a `Makefile` which automates Docker Compose tasks. This should be converted to use [Ansible Container](http://docs.ansible.com/ansible-container/getting_started.html). In the meantime, start a release with Ansible, then complete it using `make`, i.e.: ``` -ansible-playbook -i ansible/inventories/production --tags release ansible/wagtail.yaml +ansible-playbook -i ansible/inventories/lagoon --tags release ansible/wagtail.yaml ssh -i .keys/ansible.pem ansible@ "cd && make release" ``` diff --git a/ansible/internet.yaml b/ansible/alpha.yaml similarity index 78% rename from ansible/internet.yaml rename to ansible/alpha.yaml index 33284c0..1cb894f 100644 --- a/ansible/internet.yaml +++ b/ansible/alpha.yaml @@ -3,13 +3,10 @@ gather_facts: True vars: ssh_server_ports: "{{ vault_ssh_server_ports }}" - nginx_add_header: [] sysctl_overwrite: # Enable IPv4 traffic forwarding. net.ipv4.ip_forward: 1 roles: - role: dev-sec.os-hardening - role: dev-sec.ssh-hardening - - role: nginxinc.nginx - - role: dev-sec.nginx-hardening - role: jnv.unattended-upgrades diff --git a/ansible/inventories/production/group_vars/webservers/vars.yaml b/ansible/inventories/carbon/group_vars/webservers/vars.yaml similarity index 100% rename from ansible/inventories/production/group_vars/webservers/vars.yaml rename to ansible/inventories/carbon/group_vars/webservers/vars.yaml diff --git a/ansible/inventories/carbon/group_vars/webservers/vault.yaml b/ansible/inventories/carbon/group_vars/webservers/vault.yaml new file mode 100644 index 0000000..8f4ab78 --- /dev/null +++ b/ansible/inventories/carbon/group_vars/webservers/vault.yaml @@ -0,0 +1,48 @@ +$ANSIBLE_VAULT;1.1;AES256 +32616665363039353938346565666133353839663266373534373330363932316531363932656135 +6166636334613037346432353262333738353930316362610a633337373066313236656562666531 +61636661666636636132306134393733303537363933376166363338306163633466363966343439 +3731346464663438390a353135366630313438376264656632656261623563333538333661623766 +61656336643236303137656166363936653533626165346338386165636438396332636366663262 +63656231303834343130363864396233623161386533383531333366643865323932613931623133 +30306432636666666535643533313935356232613035633935383532616565356163303164313464 +33373936343135346431653034303839346364346434353930306363323165646666633062363661 +37313638383935656234336136353662353139333462656433383164393030326464393934646236 +33666262656365356663366638636661653734656633383664646230313832336263306134666239 +65336335636264383330646365633565373531633866613162666139343761633639613134323064 +32656162393965353133663930373564643766366136313465663933323761366164623036376236 +64383666366562616337346237313761313237613264346336373538346465376361363037353332 +36343530353138353862363632613536386139333630623237343763303439393761326165393330 +65346262303231623331643963643432626562363962363530633331646139393330646330386139 +63356330363538313932663034636638333062313063343830386435613264303165316334386336 +61626666376164356237633165316462343165313638623061343730346462343462363332313230 +38633230393665626362333661666439633938346339316130393839356362613231616465373335 +64623466386634653464393434336261313237313064656534353437346461656634626539636336 +32366136636333363637373430643538666533613031643234613635316461366362633635643232 +65653732383637306635373637363162333339646530616663396137383333636336333936303734 +65653065363164306337623338623437353231343062626138353834643239323261383237353266 +63383534656233393166396330393161356265306439643463616535333533643261616136643533 +36663564303566393632633530366533393833643262363338616533323263393234373163623265 +65306330323865323364353235663261383365333462343933333165383239386566663731303963 +62313636623837333233373863393835323564633264666536356434663662636163383566613131 +39383930313663313034653462323330366531656130383761353339653933636661663439333138 +32633339303166393035393039323433386630376433646466653763383632303766343837363234 +38633662613431656330393130666437363963373863323433376566393634383332636662646565 +33656337393835353231623935613236353633633037663632663634393064376662373963633035 +33613139393031613363376162366138626132313430633865363461326634656362323039303238 +62306137343132633736663662306532353831333033613662383762613938346465366661393366 +64616436323364313165623633343434653531616232643036326238333565623132393465336433 +37336337346434323033393732336465323731326263663332346466623138636265633236626565 +32393639643563613761303464353265376464363266353631656238346233303330373136313332 +62623239636636306134623831386136666466333263663637326262373030653837353464363434 +33376238303736393536626463623033333738343030633634323765626332366230323133626161 +61356137663232393534616466353662353731343632653839326437313632653334656539653030 +39623830396363396566313466366335366666643235666666393036666437333737643033353337 +33333263393566633935333136353465366363353930383535633064346366646538323634383537 +30636535336236313131666665313832363937613461306635386539366434323465346235326265 +34393166623564376439396531653539313563356364383733363131303662623163313736366261 +34326565626233646162303532626136363237373531643966653437326436363038613961663064 +34383232316634653130393230633665616537363130326366303938306636363534636534383231 +37656432663134303630663533376339336236356466646366303939616239613462363232383734 +65663062386264376330656130313135373138303431633063633135373339653437613930626263 +633861393035376438633031393935356530 diff --git a/ansible/inventories/carbon/webservers b/ansible/inventories/carbon/webservers new file mode 100644 index 0000000..d7dc75c --- /dev/null +++ b/ansible/inventories/carbon/webservers @@ -0,0 +1,13 @@ +$ANSIBLE_VAULT;1.1;AES256 +65373566353363396261353836316461353537636561316565353137306636373330306361396438 +3435646636363566346635323838346138306239653735320a306263616264343862393065626234 +61633866336565363137353231656534356538333661663961333938336233396439333564666334 +3934373332383231380a316436663639323062373636363635656664663564363866373665376337 +34653036396639313735326436663966393538316136663839623938343164626335626661336432 +62333061376565613731663932326539333137386662653264616338333662613939656538663039 +36623062366332346166663937626537613738633839666330623034653561663536646364653939 +61313230326564653632353966343135353762356663653931653331633633653735623066386462 +34326666313634633635353761633936313264393163333566353937623235313635656166323966 +37373339353236633566376539373632663862626232383065666464633337336562333966383161 +66613765643266636435353866636165393666313439373361323338653839643136343364356130 +37363764653366633738 diff --git a/ansible/inventories/files/carbon/cloudflare.key b/ansible/inventories/files/carbon/cloudflare.key new file mode 100644 index 0000000..6ee5e14 --- /dev/null +++ b/ansible/inventories/files/carbon/cloudflare.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCX+OAurxr0r4KC +l6nyf/xZGEu3G/LZEWiFYhYTHZZAVyeUtYBzjGiLiswbtnsFu4bDutvfX3OSynWd +TMBwc0sj8PO0+cJ5Bd9VGA2+PdEHpVWSXfc1c3a4s7C8xwrpxBfsxe3WtQ+lEfI2 +y8h+zVES0af2KDbg/xuipTnsIHRWt1mF7uRw/3R9vYXF44HQbE9c+NOv6knY3sax +xdTq7gKifM1JNIjocEo/r7kgTLW/S5fGbZaffjWopZeXwehXMvK2RR43awkOMg4w +xjhzO6wqC3Wlo9WQ7s3TfcZNE39ipa+lCo/eVzTphYm2gKW/MCG506lR7/s2mudw +p/gAyM5tAgMBAAECggEAA3qMGyrL9FTo07dytEfaDWoLyvsQod0O+5qlWbZVgE8z +wJOFB2AWlox3Tp0XOigy61u6zmVUyRk+/E+g9LysOCblqpCwXcJ/fGcADYjvC3yX +4FwBSCUb+cS3OM2vl26d2OrQ88ISQ8Y3jqnh2DE3+Ap6N0gatXzGyQAnkBr6vsS2 +TTEud/nQsaznD4rUaNcfDFHs8IbYGiDUleFuhsZTj44tUg9whIpDCKba4IAAdU5k +cyvWktd2XGlSuKUZsYuNrcydKZqhjleZq88/VccHtjP8O9L4+63BLost+VcznI3Y +vVT9eqhQwIZYIVsI0tj5X4EWXEyPDsluM/P5GnopMQKBgQDHppcwWhYsB80Jf4FO +TZAxvASMbMlxCdn3jhXt6mmucssqpiu9jQywnYFdEKGG5id40Cq4aJqZFo4534Og +0gTTWsYAJ94dpYDHrC/iqT9WOB8HQVO6UVVzfZu2L25EUQkW9dqEIGufeHtVdK6N +hm0ak1HfnoYhh7wVth+GuK4ICQKBgQDC3VrGsRJLeiHZAL/lIFzGUvG7MnEWE259 +Kf+GfnOa4hDDnd7bzK4L+3Ll8Nvo+Og1VZqnJlvMX6IqVO2lv/RgfBGYuCD1I/Og +b6sZ2+X0S3OYUYGn1hkiiidB8QUALh30Q2JrTs6IPl6XZdPiX8LKi7U0UXJvgnm9 +nLJMZtyERQKBgQC5yiopobu+T6gbbZ8r+fv0fE4TS20OFyfSOlPn6dtcrpCn6KkN +pMOpW3k13LMj8OvMfpMyto0fZyEFdB1uu+InuPJG1NLa7dfweCi7mdpJ5sHhI4bB +/MwzRDFyEaNgSbTWvAUULYNZjGnhdUq2guDm+S8YlNGnREPgRHIEEbpJ2QKBgENK +OvmX1fB4aU3NQ3a02TSnGdCB16k+5o2UPifMbNFUNWPHlVijcoqytveOV/I4Wb9p +IzGLPnHxqEcj8rik85eJ4G2zT7Y3Rv7k8NnKJLtafr1fj/1MInvZ5zqPJyHryu45 +grf5i7pihzmSsTtfxB07Z0R8x56YGMAQZ0WY05ddAoGACVilm2mfLenQDT8bUvor +++zrdk2zdvDRLgYiWu/+O7UhJF8P0ozCYmqeTsgcjKuqgqyfuBNwTKmUeaPbvmxr +CM+gKBmuinQNNF3OjkoRv77fMkMS1+uUZ03iPjIgLz6J4cobdKRvcjVxLfPgyrJp +n0R2KghPhNb9l/XIgqeJNGw= +-----END PRIVATE KEY----- diff --git a/ansible/inventories/files/carbon/cloudflare.pem b/ansible/inventories/files/carbon/cloudflare.pem new file mode 100644 index 0000000..d482ffe --- /dev/null +++ b/ansible/inventories/files/carbon/cloudflare.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFADCCA+igAwIBAgIUK7EkF7xtZ1tTux+Q2ygKgP5cAScwDQYJKoZIhvcNAQEL +BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw +MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y +aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh +MB4XDTE5MTAxNzE1MzAwMFoXDTM0MTAxMzE1MzAwMFowYjEZMBcGA1UEChMQQ2xv +dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk +BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl/jgLq8a9K+Cgpep8n/8WRhLtxvy2RFohWIW +Ex2WQFcnlLWAc4xoi4rMG7Z7BbuGw7rb319zksp1nUzAcHNLI/DztPnCeQXfVRgN +vj3RB6VVkl33NXN2uLOwvMcK6cQX7MXt1rUPpRHyNsvIfs1REtGn9ig24P8boqU5 +7CB0VrdZhe7kcP90fb2FxeOB0GxPXPjTr+pJ2N7GscXU6u4ConzNSTSI6HBKP6+5 +IEy1v0uXxm2Wn341qKWXl8HoVzLytkUeN2sJDjIOMMY4czusKgt1paPVkO7N033G +TRN/YqWvpQqP3lc06YWJtoClvzAhudOpUe/7NprncKf4AMjObQIDAQABo4IBgjCC +AX4wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQqrDW0atPbYUVW62/oonVTxNlU3TAf +BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw +MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j +YTCBggYDVR0RBHsweYISKi5wdWJsaWMtaGVhbHRoLmNoggkqLnNwaGMuY2iCFmdl +c3VuZGhlaXRzbWFuaWZlc3QuY2iCEW1hbmlmZXN0ZXNhbnRlLmNoghJuZ28tYWxs +aWFuei1lYmsuY2iCEHB1YmxpYy1oZWFsdGguY2iCB3NwaGMuY2gwOAYDVR0fBDEw +LzAtoCugKYYnaHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5fY2EuY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCnkhHew7PXdOcJduzRTtBX1oBRpAiky92RkM5/ +jweojEt3I8QIjs1m/7ZUYCQW8grmBRS75x6geKy9prmHoRcRB0Akc6QfDSRBYaK/ +AADSmShPYPFenicVDMOt9hSAYBHihmf5muPIZ/4yrK+FLPpPZibKi7ODmBzZ6Slz +NILCxV8Yz0PG7hGQru8ey0YEno2RBLIIhkzJs80X79r25mdUNVnvk98AbXwF2eyl +njNs7/eKemEe5Ia7OD9R33L/c36hr5HPTnXEfmcUqSeLq0mpoy8xWgsg7ykLUqmy +j6QT71+TT4P1WYYEXwTl0mPqD51Kn7AZCgmq8RMZ83/ocGF9 +-----END CERTIFICATE----- diff --git a/ansible/files/cloudflare.key b/ansible/inventories/files/lagoon/cloudflare.key similarity index 100% rename from ansible/files/cloudflare.key rename to ansible/inventories/files/lagoon/cloudflare.key diff --git a/ansible/files/cloudflare.pem b/ansible/inventories/files/lagoon/cloudflare.pem similarity index 100% rename from ansible/files/cloudflare.pem rename to ansible/inventories/files/lagoon/cloudflare.pem diff --git a/ansible/inventories/files/nations/cloudflare.key b/ansible/inventories/files/nations/cloudflare.key new file mode 100644 index 0000000..0948ffb --- /dev/null +++ b/ansible/inventories/files/nations/cloudflare.key @@ -0,0 +1,90 @@ +$ANSIBLE_VAULT;1.1;AES256 +37396437326330653831623831646432643031303962636636353931303064636262343439383238 +3965386661613063656436346661363633613866646435630a333962393066636239643165643666 +37346330313165643263656230373633363135376535376536373961633366613339333263376230 +3164363738313339310a336235336465623835333262333866636434653066313736356138353461 +30303332303264643839393462346236316464376138653832633331303365646565343237386662 +61393166313138396334313132663165653131313532663331323237626163633764346162303564 +64343034363139326238383633353463616135366636613262356366663364616438366432343463 +61353135663234663231643865616430636466306161323336363866383838393931363134316532 +62616336346134306363643533303030343531363930346361313864323166343536366564353166 +39643762656364623765626334313663313337326537353664323464363661323665646665656634 +33313332336461663333393632383330616434626362613832663030303334326662323562646535 +34616139343436383866323362363633333632363666626561396534633734393432333363333330 +66643864383133303634333432306332623534643232353963323665623833316237316231303831 +33393431623136323239346261626430643266653262373262396530623338383232646263366361 +65316336393661626537343666373332613030633138376533373331643966616630393036343462 +34623664623339383030373666346131633836393338616462303563643038383463353462643862 +64303037343765616666663635333264363039376463623766353833623337643639343631353931 +61373361636231386334643337356664333061333834656632363762313466613661666234383133 +66333766363264373939336133303830333136336439303136326539383231323235656262363338 +66653666616634653233343032326461396361643266666565633933303532653035663130663736 +37323434393639646435386432656563363961333265353065653564343037326131333333666237 +31363461656632613931656239326132346338346264643232643165613936643863626130616631 +61663439366338383033613135306533393933353933326561386537613263616132616337353534 +39336565656631323530303965323466636663643266373165303937336465646132663839313136 +30316330393535346265323763376639323363333734323334366234323531373763613439353035 +64383361346638653364656338623465663532383836643433323330343834313564363331323834 +61353333366465636266316264306262326263343139313631326161663165313561393162616236 +39626439656436336134346232653662373336623734666239316365303265373061343234306439 +61363236396231383265366264386236313736643962316562373962383832306231336363346537 +35613032353832383463663366396539333263616262386337353235653632633764303730313062 +32636430653136656538306630316235666331346466633834616632333139663232323464386239 +66653362303139373261656533373866646363373965323962623063313532396664393436363135 +35333333306563626239653938653732613630323464363034346638393631386531613963316338 +64303833316466333439323065323539343933303861626665396565373761333634653435376562 +65626165393937643261626266626430643962633963373839663736373332643162343332373762 +64633166653665333933393937383763313166646462356232346332363632363833373366316463 +35343536613264613230353334666630373964386165663162623533303136366338626531306533 +35623565356234653763356134376635303634353961653831666438643265313230343530393336 +65323762643034376635636234653139366439313233383539666365376130623539613732376636 +64366636346366303533656461326263376566613461633436333336346236653932386230656661 +61393533623131326164343263643666376334366134326433323630623436333132633962323837 +35303034353161363131376266336466663138633961363030356536623834353163623264626233 +37643562396232393932633536343232633334303039396163656231313462386435303839656431 +30386632336434353638386166306565643930623831393834343237373861393731353334646466 +36656237393635373039333161326134333064393863353663323261353430613064313661383064 +63316138653131343334646330643435643532386537373163666639646532663366643534343438 +33366138373230306161653061393538373664373639346261373230313133353561613236353761 +33613333313231336661303635356531323536353836323765306533333864643834616533343161 +33396632343938333633343430393364636139626161303834383535656639376633393133643139 +61346365373465613861646631353039656465373665623535333936653135353936343035313662 +32643537303630633764656563336434313533623166323738353836666565626333326662636139 +31303630653039363065616432353334396231303430313166643532343861353262636336656238 +33643064373839376261316633646430336663356663393366303032376131333437653630663736 +30386235386261306633303538323464626464303962303133333933393164653933396430393464 +35313234356534323032323161326630313738316466386139313138653738373232386462313961 +32316464316532306330333932613537376562613761323737396537346466663037303839653430 +35363237306334386631396537306332646563386538626533323337313438393439323035363064 +37346434643966326366636238383262373231613566303462373539336333346166323138623033 +33393533396438653439663430653930343233356131393562396232393537326562616131643261 +63666237393835326635623265636434373031666639356563333436666362633363303466383366 +66343464616666383531653966636130336530623532616566333737396338386165623961636438 +36383564326661343865366230313731343232646331663464663932313663333065623965613565 +65343138376561656537313663373135633463636537633131306237363062346239343162363332 +39303365373561316465363134393635623636363839653839643866636164663932633165326662 +36303362333862306531363238643266623631643337656636373139653531616538656132646631 +64656236366235393235353865636232363239336136376430376236623537643833356163383133 +63626434393736303233656433353734303763326362363436633939333433333932663131336530 +66663936666464313135376466633364663231636531346331383739323735363132326162383830 +34386163656131326365333534306437616435303239333233356430636166643361623333636436 +34363065636335336230633565373366303666393961303066623662306461623365333431663964 +39303366343964373438316135393164383262633438633665346562626337336666646463343461 +62386632616563643162383465656631623731616562663733356266346637343936366439623736 +61313037373834306438363430373636383466613334386165656238343038353831633139363362 +31333735306631613732363661326136663938666135626232636531616435626364633263353662 +61313239326239316130353236316434623261363565343831336339613965336664666132376637 +30313436306239633461633931306633333562396639643836663937303965353831383065653261 +61623839346438316364373634376665633831366434373135646537643735613230346564363630 +61356666323937393164643636393262373039613139663437353939383839326162346463393562 +61316365346361383266326135616638323762326661373764346437386539313466633337323939 +37653938373236333763626135313237363761623539663038303234623634343836313861653336 +61303365656633643435633061643761656339623231303065306435366535386434343635343538 +33343037626165633039663632646532386364626635306138623938656563336433636130613033 +32363233343061383065653231646439396465353337656636356166383263356665626238356139 +66636537313461393865336639626163306438623630303663633163363339323863616339336432 +61356138353363366639383764633862393234626533373736366130326334333861636537633537 +38383233313063646539613931323837373530343935623562666431633431396538383331396632 +35326266333930343236333937363030356231303061393362373536303337633964646132393862 +39393963326136666361663363653936356333663565316331663331376636303966376637343236 +64636531306635323731663334396663306262333730653335363364633839333339 diff --git a/ansible/inventories/files/nations/cloudflare.pem b/ansible/inventories/files/nations/cloudflare.pem new file mode 100644 index 0000000..0900b68 --- /dev/null +++ b/ansible/inventories/files/nations/cloudflare.pem @@ -0,0 +1,122 @@ +$ANSIBLE_VAULT;1.1;AES256 +36363564613066383633626239613031613162623365303031383037303365383835353462343835 +3031636161616532613464623932343761323932653831640a306336386331326363396335376231 +37363230353662383430633763396264623066636563366365633631623137626463303662396134 +6665306336636535360a313035303031303431353437363263646539386132666561653433363939 +38373463303933303133393730353831393862366232323532373635663435623638613762616537 +33343931333939626139353439343965373935616436663864363234326235363530616334636465 +34343836313761353332353232613964356363306538366633623131636264396434366666336134 +32643230333666363139313165626636306562646236663964656466643735663961303565316265 +38316436356262666334393264363966633737346635663135356633306463336437383030383264 +66653435626566303637353039373539373961643338376464626165366434363431373364313636 +38366632313532653539326138396434666434613731303662643134346535386435393531626639 +62666436636366316338313630663665623736326465336432396366356239666261373863656536 +35613138646635353362393963383665653764306137306462343063316137656137616135363663 +37373937626564343233376562623430393231376636323563353637386230323161323230396531 +64303136363562306162326664373639323866393833656266366662666434343963333038616566 +64383462306237346564323238373963363630326266626330383261626231346439373138323531 +35323430643063653638636164623334336630633661353331363831636665616666313438396334 +61386138613738653038633233653565336435393530363730613637353438363434373637373362 +65326435666264376433653865323730303664303231363963323539353532653364626562333162 +30656539336631633065346166383835633261393463623866313866343764626333313432643530 +31613666613462663662616131333531666533343661346333383539343638393336366235666437 +37313264323434326538303736666535616362613334396133313363336532343335636631646331 +38656633393863303934313466333530333737376235396233323839393030396530323862363763 +30616561303165386331356562333164373830663531366662643463303466383765663032613166 +64313465303362316465373134663264616234346530373031643830386166653038616134353632 +64376637643534373864373030323232356430316434323765363861303462366232666136626663 +39626261396263316434366462376563326439396438373966303933643931383730373834616166 +36646134336336353334623165656361623436346465396463393530633463373930393139626365 +61306339313662643130303733613636623433646332646335306163386637626532646630623139 +37323366366231363864663132373964363837356236623162306336343631333361616635376430 +32386465376334396134626133313764326637613966626364343831636234363437333662666339 +33393331666562306264346339663965343364353938646634393432363363393131616234663237 +33363461613233643461623338396335333032316566623233633538653566336138386464656533 +37303835306234613163376362353964383935623465396362616164616233323437336566666136 +31383536656438386536333766616334633739353731303766666433323230613339653265646463 +66633161663339656433653535373865353463306135653739656330363064633563613531336365 +36646262353566336135316462666138313732333864353431383762646662346362313863613932 +62613038626661396637396366636264373537373966333938663931663532353862636561393764 +66313065393963306564393637616231386137633465306164343234373665383265326462373961 +35333766613232376234363336663865343663656631353565366461343964643265623064616562 +64656462313333376534313333646630383462343935333439623061343464316139313331663966 +30613236333239396137346361613830633738386162306633303033613938643138646465636364 +36626236396633306162623461393764643661353634303237303862666136323337333362383538 +38613866643032653565616266363637643036326465393734633239386535373038653464396563 +39623561363862393131623764366261323932643733383066373436346236326630383966383433 +35373835323436396235636337303564646433386431356165383337343334316432613065316133 +66303937626631396334323838636436393533356535346436613531376330313230623439363136 +33333839343239353762663130623735643262363036376433373963333937326533323466383235 +61363639393835633035396634316538386463333461383334346438303134396433613665303664 +38613532383562613862333765616665643134616532373762643432663337643132663233326664 +66356530633561343862326666313264323637313239366161663031343265303833376539653430 +37643435313265306135393736396535336333373665613836633465373761373266613031633636 +65623363623134323430386632653232303461636162323466386564346565636532373438323839 +66386463333635653535623139643235383437313761363532316561343939336166383562666335 +31626561633264323766303565653566393164646638353861653838363466646639633361646536 +65656235626330333538666365383230373563373230353263666361633965396133393430323165 +30333066656231333738633264396162363063646532656265663232346135373330613566323131 +36323966373832663564383433383235356664306439323764303638623736633262623533366532 +61353938323462633637313263663238626535366234393864343533383561356532363564323963 +63663033633866366366633161383238663537303339386239373035343061613066346532333533 +32363964666235653062316164393634393337326136363235343231386633323436373762633337 +65336430366539363461363165346537346134616135346139633235366334363266336566663738 +36643331376161383532316366363766303463656137333864336163326238626138643939613237 +30323062326465306561313364323630343238393531613963353065663861363336616331643065 +39623533303861363263333461633637623164333762316665323835353334323364666466623839 +62323839326339383231346233323636663261316439653035313265326237326266393331646365 +33643639386131333063663463323534383737636563346463316433646361363338616631376431 +63653434303736366266373937626261646230653363636661613034363863343539363832366361 +34643832376662336632363533323666303530343933636234376631646536336261336566336264 +39633637343537323865356266383864303462303538373565623566316635663366626438626237 +66366438656634336364623639653736353836343739646237633734373834636530633238653132 +38363833333937623738323935373034626464316536646435613036663938643436366566323036 +39376339666131653365376265626131626136313663306339316230303934353231343437306161 +35656634353732386337323364343431333631356664343333353963663537373431333562356330 +65636238663438653864633938636664373637313163633766613963343563366464623437323530 +61376133623531326435313737396261393130646239323239336530353466303362336136306136 +36386564633236326530643236626630313561653630616564616139623033303438363235343136 +63333164653332323630666535663237376632323339383563333639343931333536353032653761 +61616364313739663462333336306164623365383236616539386132373733613763386166373235 +30323834316532616464323539383362653161303461333465383333353465356133623862323464 +34623661653263613366623933393330313038663837363834336561306538363335613263643362 +32636665383662613835356630636537303561663532383039633163326566336631313564643936 +37633031663133343164333032386262343861653665653663323732393130636263343932666636 +35613335386237323832663832346438633764383039616138656636633565316566636335643734 +36653931633336343665353762326336376435653963386666626534636533306632646162356561 +61656336373730666663306536336461356130663866623431646330346161376634303732313461 +37656362346636343063396662636633383633306231616363396635343533346139616438306433 +62663262656430326533613864383232356564336565643733633336626466633265366132653962 +32373963386264343132623338363263383136663963623463353239386133333932316663306331 +66396265396235383630323830353962376266393933396563666434333534633931626534663865 +37363839633135646435383535663965363437363231613162393864323161663330633266363033 +38373634323733356464313461626261633136646661613833306362306339386434666362303435 +66343430363631326366383437336338636534646664383461653733353531623466373831623631 +35393934386235356138633833333265316464363064626463316139616666613664623136663731 +65656637633436643333343738613433323733636465303762623438316162356138663838343765 +34353433353066383634643536366562633864623039383032303365323261313966646262323332 +66373235343265356639656434353865393239343965366462346435353165346333326131656565 +30613061636636353233316637313338326635643238353937323236353032386461646363633563 +30343636376338613363303964356334666439633136336530303964316563313561623034666631 +65313464306535313863663937303565323164383537336334383437343234316437643338343231 +61326365383534643931623361373339333666626463306336623464393062313762393064346634 +39643030353063396635616139666130633235636434383861333938343039373731643166313364 +64306239666639363739323137663231653761356239633236343936313939346562633530666532 +31343032623139363130633136353036646231326339623037336533353064356165303932666536 +66646537333663313034336236373037306636343632643636663634626235323038306134306564 +34656631623439636633333830623462616364653431323035393331333331396163633539393364 +38633662366631633431653864373739333039663966383765303863343036633337636636643436 +35393962333732383732663063316532393332666332623934326166393236393936646337346564 +39373935383136356362623339363432396632396534623030656333663165643363633038336465 +35653430613738306232636632356135343533306139393334333439646136353432386365633137 +63326639613166343262343037303536363230613666313932616565373932333538326633396137 +37366562383662646461633639343338333766643564376431333332326564626434666338313466 +63396137353862653835613339646532343561373261393432393632396235326466373338333762 +39313637316462333333376539623261343139386164653664636133313434353937376230303865 +38323061663833666563366133653635323466326231346637656337366333393863366332333338 +31636239633436646633623165333833343737383137303263326361346531623237323937313762 +31323261656331656362323364313231373930666639383730633234643738663330326436303334 +34373439373538323364396433613033656333346261656338646237313236303261346636636362 +62386162323163626635363039383031663738666430653964346430646532656162373933356338 +33323631623936623236373932613133646631306566333061616538356434363165636464636235 +62643461383139633361326463306162333530363365663064353266343734353361 diff --git a/ansible/inventories/lagoon/group_vars/webservers/vars.yaml b/ansible/inventories/lagoon/group_vars/webservers/vars.yaml new file mode 100644 index 0000000..ef08c51 --- /dev/null +++ b/ansible/inventories/lagoon/group_vars/webservers/vars.yaml @@ -0,0 +1,29 @@ +--- + +django_project_name: publichealth + +elasticsearch_heap_size: 1g + +memcached_memory_allocation_mb: 256 + +nginx_worker_processes: 2 +nginx_worker_connections: 1024 + +domain: "{{ vault_domain }}" + +allowed_domains: "{{ vault_allowed_domains }}" + +django_email_key: "{{ vault_django_email_key }}" +django_email_domain: "{{ vault_django_email_domain }}" +django_email_from: "{{ vault_django_email_from }}" + +django_secret_key: "{{ vault_django_secret_key }}" + +# Default: postgres://postgres:@postgres:5432/postgres +django_postgres_url: "{{ vault_django_postgres_url }}" + +# Default: http://elasticsearch:9200 +django_elasticsearch_url: "{{ vault_django_elasticsearch_url }}" + +# Default: redis://redis:6379 +django_redis_url: "{{ vault_django_redis_url }}" diff --git a/ansible/inventories/production/group_vars/webservers/vault.yaml b/ansible/inventories/lagoon/group_vars/webservers/vault.yaml similarity index 100% rename from ansible/inventories/production/group_vars/webservers/vault.yaml rename to ansible/inventories/lagoon/group_vars/webservers/vault.yaml diff --git a/ansible/inventories/production/webservers b/ansible/inventories/lagoon/webservers similarity index 100% rename from ansible/inventories/production/webservers rename to ansible/inventories/lagoon/webservers diff --git a/ansible/inventories/evolution/group_vars/webservers/vars.yaml b/ansible/inventories/nations/group_vars/webservers/vars.yaml similarity index 100% rename from ansible/inventories/evolution/group_vars/webservers/vars.yaml rename to ansible/inventories/nations/group_vars/webservers/vars.yaml diff --git a/ansible/inventories/evolution/group_vars/webservers/vault.yaml b/ansible/inventories/nations/group_vars/webservers/vault.yaml similarity index 100% rename from ansible/inventories/evolution/group_vars/webservers/vault.yaml rename to ansible/inventories/nations/group_vars/webservers/vault.yaml diff --git a/ansible/inventories/evolution/webservers b/ansible/inventories/nations/webservers similarity index 100% rename from ansible/inventories/evolution/webservers rename to ansible/inventories/nations/webservers diff --git a/ansible/nginx.yaml b/ansible/nginx.yaml new file mode 100644 index 0000000..4a7e48e --- /dev/null +++ b/ansible/nginx.yaml @@ -0,0 +1,8 @@ +- hosts: webservers + become: True + gather_facts: True + vars: + nginx_add_header: [] + roles: + - role: nginxinc.nginx + - role: dev-sec.nginx-hardening diff --git a/ansible/node.yaml b/ansible/node.yaml index 01ad453..645ca9e 100644 --- a/ansible/node.yaml +++ b/ansible/node.yaml @@ -6,5 +6,5 @@ - role: geerlingguy.nodejs nodejs_install_npm_user: ansible nodejs_npm_global_packages: - - name: bower + - name: yarn - name: grunt-cli diff --git a/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info index 9266ae8..2388dc8 100644 --- a/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.nginx-hardening/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:29:19 2020 +install_date: Thu Feb 18 15:39:21 2021 version: 2.1.0 diff --git a/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml b/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml deleted file mode 100644 index 99857c7..0000000 --- a/ansible/roles/dev-sec.os-hardening/.github/workflows/changelog.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Create Changelog - -on: - pull_request: - types: [closed] - - release: - types: [published] - - issues: - types: [closed, edited] - -jobs: - generate_changelog: - runs-on: ubuntu-latest - name: Generate changelog for master branch - steps: - - uses: actions/checkout@v1 - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: push - uses: github-actions-x/commit@v2.6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update changelog' - force-add: 'true' - files: CHANGELOG.md - name: dev-sec CI - email: github@gumpri.ch diff --git a/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml b/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml index 34cf1cf..4d5fa69 100644 --- a/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml +++ b/ansible/roles/dev-sec.os-hardening/.github/workflows/release.yml @@ -25,17 +25,35 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 + uses: charmixer/auto-changelog-action@8095796 + with: + token: ${{ secrets.GITHUB_TOKEN }} + future_release: ${{ steps.version.outputs.next-version }} + + - name: Generate changelog for the release + uses: charmixer/auto-changelog-action@8095796 with: token: ${{ secrets.GITHUB_TOKEN }} since_tag: ${{ steps.previoustag.outputs.tag }} future_release: ${{ steps.version.outputs.next-version }} + output: CHANGELOGRELEASE.md + + - name: push changelog + uses: github-actions-x/commit@v2.6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + push-branch: 'master' + commit-message: 'update changelog' + force-add: 'true' + files: CHANGELOG.md + name: dev-sec CI + email: hello@dev-sec.io - name: Read CHANGELOG.md id: package uses: juliangruber/read-file-action@v1 with: - path: ./CHANGELOG.md + path: ./CHANGELOGRELEASE.md - name: Create Release draft id: create_release diff --git a/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml b/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml index ab58ecd..504dd2c 100644 --- a/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml +++ b/ansible/roles/dev-sec.os-hardening/.kitchen.vagrant.yml @@ -33,6 +33,9 @@ platforms: - name: centos-6 driver_config: box: bento/centos-6.7 + provision: true + vagrantfiles: + - rhel6_provision.rb - name: centos-7 driver_config: box: bento/centos-7 @@ -42,6 +45,9 @@ platforms: - name: oracle-6 driver_config: box: bento/oracle-6 + provision: true + vagrantfiles: + - rhel6_provision.rb - name: oracle-7 driver_config: box: bento/oracle-7 @@ -57,6 +63,11 @@ platforms: - name: opensuse_tumbleweed driver_config: box: opensuse/Tumbleweed.x86_64 + provision: true + vagrantfiles: + - suse_provision.rb + provisioner: + ansible_binary_path: "/usr/local/bin" verifier: name: inspec diff --git a/ansible/roles/dev-sec.os-hardening/.kitchen.yml b/ansible/roles/dev-sec.os-hardening/.kitchen.yml index cceda4e..b5ae255 100644 --- a/ansible/roles/dev-sec.os-hardening/.kitchen.yml +++ b/ansible/roles/dev-sec.os-hardening/.kitchen.yml @@ -2,7 +2,16 @@ driver: name: docker use_sudo: false - privileged: true + cap_add: + - SYS_ADMIN + volume: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + run_options: + tmpfs: + - /tmp + - /run + - /run/lock + run_command: /sbin/init http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> @@ -28,95 +37,108 @@ platforms: driver: image: rndmh3ro/docker-centos6-ansible:latest platform: centos + provision_command: + - sed -i '/loginuid/d' /etc/pam.d/sshd + - name: centos7-ansible-latest driver: image: rndmh3ro/docker-centos7-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: centos8-ansible-latest driver: image: rndmh3ro/docker-centos8-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + provisioner: + ansible_binary_path: "/usr/local/bin" + - name: oracle6-ansible-latest driver: image: rndmh3ro/docker-oracle6-ansible:latest platform: centos + provision_command: + - sed -i '/loginuid/d' /etc/pam.d/sshd + - name: oracle7-ansible-latest driver: image: rndmh3ro/docker-oracle7-ansible:latest - run_command: /sbin/init platform: centos provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - yum -y install initscripts + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: ubuntu1604-ansible-latest driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest platform: ubuntu - run_command: /sbin/init provision_command: - systemctl enable ssh.service + - name: ubuntu1804-ansible-latest driver: image: rndmh3ro/docker-ubuntu1804-ansible:latest platform: ubuntu - run_command: /sbin/init provision_command: - systemctl enable ssh.service + - name: debian9-ansible-latest driver: image: rndmh3ro/docker-debian9-ansible:latest platform: debian - run_command: /sbin/init provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service + - name: debian10-ansible-latest driver: image: rndmh3ro/docker-debian10-ansible:latest platform: debian - run_command: /sbin/init provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service + - name: amazon-ansible-latest driver: image: rndmh3ro/docker-amazon-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: fedora-ansible-latest driver: image: rndmh3ro/docker-fedora-ansible:latest platform: centos - run_command: /sbin/init provision_command: - dnf install -y python - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: opensuse_tumbleweed-ansible-latest driver: image: rndmh3ro/docker-opensuse_tumbleweed-ansible platform: opensuse provision_command: - - zypper -n install python-xml rpm-python - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - zypper -n install python-xml + - sed -i '/nologin/d' /etc/pam.d/sshd + - sed -i '/systemd/d' /etc/pam.d/common-session - systemctl enable sshd.service verifier: name: inspec sudo: true inspec_tests: - - https://github.com/dev-sec/tests-os-hardening + - https://github.com/dev-sec/linux-baseline + controls: + # skip sysctl checks, since they make no sense in docker + - /^(?!sysctl-|package-07).+/ suites: - name: os diff --git a/ansible/roles/dev-sec.os-hardening/.travis.yml b/ansible/roles/dev-sec.os-hardening/.travis.yml index ed74614..c9f49f5 100644 --- a/ansible/roles/dev-sec.os-hardening/.travis.yml +++ b/ansible/roles/dev-sec.os-hardening/.travis.yml @@ -2,63 +2,31 @@ services: docker env: - - distro: centos6 - version: latest - init: /sbin/init - - - distro: centos7 - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: centos8 - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: fedora - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: oracle6 - version: latest - init: /sbin/init - -# - distro: oracle7 -# init: /lib/systemd/systemd -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# version: latest - - - distro: ubuntu1604 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: ubuntu1804 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian9 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian10 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: amazon - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - # - distro: opensuse_tumbleweed - # init: /usr/lib/systemd/systemd - # version: latest - # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro" + global: + - version=latest + - init=/sbin/init + - run_opts="--cap-add SYS_ADMIN" + - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro" + jobs: + - distro=centos6 + volume=":" + run_opts="" + - distro=centos7 + - distro=centos8 + - distro=oracle6 + volume=":" + run_opts="" +# - distro=oracle7 + - distro=ubuntu1604 + - distro=ubuntu1804 + - distro=debian9 + init=/lib/systemd/systemd + - distro=debian10 + - distro=amazon + - distro=fedora + init=/lib/systemd/systemd + - distro=opensuse_tumbleweed + run_opts="--privileged" before_install: # Pull container @@ -70,7 +38,7 @@ script: - container_id=$(mktemp) # Run container in detached state. - - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' + - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' # Output Ansible version from docker image - 'docker exec "$(cat ${container_id})" ansible-playbook --version' @@ -79,7 +47,7 @@ script: - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff' # Verify role - - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit' + - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit' notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/dev-sec.os-hardening/CHANGELOG.md b/ansible/roles/dev-sec.os-hardening/CHANGELOG.md index faa840e..7125878 100644 --- a/ansible/roles/dev-sec.os-hardening/CHANGELOG.md +++ b/ansible/roles/dev-sec.os-hardening/CHANGELOG.md @@ -1,8 +1,71 @@ # Changelog -## [Unreleased](https://github.com/dev-sec/ansible-os-hardening/tree/HEAD) +## [6.2.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.2.0) (2020-08-16) -[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...HEAD) +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.1.0...6.2.0) + +**Implemented enhancements:** + +- Optimize and unify when clause [\#295](https://github.com/dev-sec/ansible-os-hardening/pull/295) ([Alexhha](https://github.com/Alexhha)) +- use find module instead of shell [\#294](https://github.com/dev-sec/ansible-os-hardening/pull/294) ([danielkubat](https://github.com/danielkubat)) +- improve testing [\#287](https://github.com/dev-sec/ansible-os-hardening/pull/287) ([schurzi](https://github.com/schurzi)) + +**Fixed bugs:** + +- Inconsistent use of role vars/role defaults [\#284](https://github.com/dev-sec/ansible-os-hardening/issues/284) + +**Closed issues:** + +- Consider using find module instead of shell [\#293](https://github.com/dev-sec/ansible-os-hardening/issues/293) +- Optimize logical OR in when clause [\#292](https://github.com/dev-sec/ansible-os-hardening/issues/292) +- vfat added to dev-sec.conf, but efi is used [\#288](https://github.com/dev-sec/ansible-os-hardening/issues/288) +- OpenSUSE Support [\#249](https://github.com/dev-sec/ansible-os-hardening/issues/249) + +**Merged pull requests:** + +- fix fedora build [\#296](https://github.com/dev-sec/ansible-os-hardening/pull/296) ([rndmh3ro](https://github.com/rndmh3ro)) +- move hidepid vars into defaults so theyre overwritable [\#285](https://github.com/dev-sec/ansible-os-hardening/pull/285) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.1.0](https://github.com/dev-sec/ansible-os-hardening/tree/6.1.0) (2020-07-21) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.3...6.1.0) + +**Implemented enhancements:** + +- Mount proc filesystem using hidepid option [\#283](https://github.com/dev-sec/ansible-os-hardening/pull/283) ([alegrey91](https://github.com/alegrey91)) + +**Fixed bugs:** + +- Is it safe to use on Debian 10? The build is failing. [\#281](https://github.com/dev-sec/ansible-os-hardening/issues/281) + +**Closed issues:** + +- The state of the galaxy release [\#269](https://github.com/dev-sec/ansible-os-hardening/issues/269) + +**Merged pull requests:** + +- do not blacklist used filesystems [\#289](https://github.com/dev-sec/ansible-os-hardening/pull/289) ([schurzi](https://github.com/schurzi)) +- install procps in debian so sysctl.conf exists [\#282](https://github.com/dev-sec/ansible-os-hardening/pull/282) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.0.3](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.3) (2020-06-06) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.2...6.0.3) + +**Implemented enhancements:** + +- unify changelog and release actions [\#279](https://github.com/dev-sec/ansible-os-hardening/pull/279) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [6.0.2](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.2) (2020-06-02) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.1...6.0.2) + +**Implemented enhancements:** + +- purge insecure packages [\#275](https://github.com/dev-sec/ansible-os-hardening/pull/275) ([chris-rock](https://github.com/chris-rock)) + +## [6.0.1](https://github.com/dev-sec/ansible-os-hardening/tree/6.0.1) (2020-05-09) + +[Full Changelog](https://github.com/dev-sec/ansible-os-hardening/compare/6.0.0...6.0.1) **Implemented enhancements:** @@ -19,7 +82,7 @@ - Add Debian Buster support for ansible-os-hardening [\#233](https://github.com/dev-sec/ansible-os-hardening/issues/233) - Add CentOS 8 support for ansible-os-hardening [\#232](https://github.com/dev-sec/ansible-os-hardening/issues/232) - Add selinux configuration [\#154](https://github.com/dev-sec/ansible-os-hardening/issues/154) -- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([Aisbergg](https://github.com/Aisbergg)) +- Make useradd defaults in login.defs dependent on OS [\#266](https://github.com/dev-sec/ansible-os-hardening/pull/266) ([aisbergg](https://github.com/aisbergg)) - Add kernel hardening parameters from Tails and CIS Benchmark [\#263](https://github.com/dev-sec/ansible-os-hardening/pull/263) ([kravietz](https://github.com/kravietz)) - add ansible-lint [\#262](https://github.com/dev-sec/ansible-os-hardening/pull/262) ([rndmh3ro](https://github.com/rndmh3ro)) - Remove trailing space [\#261](https://github.com/dev-sec/ansible-os-hardening/pull/261) ([kravietz](https://github.com/kravietz)) @@ -28,7 +91,7 @@ - Standardize the var ordering [\#251](https://github.com/dev-sec/ansible-os-hardening/pull/251) ([dustinmiller1337](https://github.com/dustinmiller1337)) - Add intial support for OpenSUSE [\#250](https://github.com/dev-sec/ansible-os-hardening/pull/250) ([dustinmiller1337](https://github.com/dustinmiller1337)) - Make max\_log\_file\_action for auditd configurable [\#246](https://github.com/dev-sec/ansible-os-hardening/pull/246) ([jandd](https://github.com/jandd)) -- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([okupriyanov](https://github.com/okupriyanov)) +- Add exception in sysctl task [\#240](https://github.com/dev-sec/ansible-os-hardening/pull/240) ([ghost](https://github.com/ghost)) - Fedora - Use new auto ansible\_python\_interpreter for dnf [\#239](https://github.com/dev-sec/ansible-os-hardening/pull/239) ([jaredledvina](https://github.com/jaredledvina)) - add test support for CentOS8 [\#237](https://github.com/dev-sec/ansible-os-hardening/pull/237) ([yeoldegrove](https://github.com/yeoldegrove)) - Support configuring SELinux and default to enforcing [\#236](https://github.com/dev-sec/ansible-os-hardening/pull/236) ([jaredledvina](https://github.com/jaredledvina)) @@ -47,7 +110,7 @@ - Add a "don't fail on error" switch ? [\#148](https://github.com/dev-sec/ansible-os-hardening/issues/148) - Addressing issue \#255 [\#258](https://github.com/dev-sec/ansible-os-hardening/pull/258) ([ljkimmel](https://github.com/ljkimmel)) - Fix \#247, cleanup conditions [\#248](https://github.com/dev-sec/ansible-os-hardening/pull/248) ([fernandezcuesta](https://github.com/fernandezcuesta)) -- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([okupriyanov](https://github.com/okupriyanov)) +- Fix error on applying the sysctl vars on containers [\#243](https://github.com/dev-sec/ansible-os-hardening/pull/243) ([ghost](https://github.com/ghost)) - Update location of NSA RHEL 5 Guide [\#235](https://github.com/dev-sec/ansible-os-hardening/pull/235) ([jaredledvina](https://github.com/jaredledvina)) ## [5.2.1](https://github.com/dev-sec/ansible-os-hardening/tree/5.2.1) (2019-06-09) @@ -123,9 +186,7 @@ - Rename pam\_passwdqd.j2 to pam\_passwdqc.j2 [\#172](https://github.com/dev-sec/ansible-os-hardening/pull/172) ([martinbydefault](https://github.com/martinbydefault)) - Use package state 'present' since 'installed' is deprecated [\#168](https://github.com/dev-sec/ansible-os-hardening/pull/168) ([Normo](https://github.com/Normo)) - Update syntax to Ansible 2.4 [\#161](https://github.com/dev-sec/ansible-os-hardening/pull/161) ([thomasjpfan](https://github.com/thomasjpfan)) -- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro)) - Add support for Amazon Linux [\#158](https://github.com/dev-sec/ansible-os-hardening/pull/158) ([woneill](https://github.com/woneill)) -- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro)) - Remove deprecated include for static tasks and use instead import\_tasks fix \#131 [\#132](https://github.com/dev-sec/ansible-os-hardening/pull/132) ([HelioCampos](https://github.com/HelioCampos)) **Fixed bugs:** @@ -148,12 +209,14 @@ - Update some RH settings in this role [\#155](https://github.com/dev-sec/ansible-os-hardening/issues/155) - Removal of core dump hardening configuration if core dumps are allowed [\#129](https://github.com/dev-sec/ansible-os-hardening/issues/129) +- add amazon linux testing [\#160](https://github.com/dev-sec/ansible-os-hardening/pull/160) ([rndmh3ro](https://github.com/rndmh3ro)) - Don't create home for system accounts [\#156](https://github.com/dev-sec/ansible-os-hardening/pull/156) ([oakey-b1](https://github.com/oakey-b1)) - Prevent disabling of filesystems via whitelist [\#153](https://github.com/dev-sec/ansible-os-hardening/pull/153) ([manuelprinz](https://github.com/manuelprinz)) - Add kernel hardening settings from Ubuntu /etc/sysctl.d [\#150](https://github.com/dev-sec/ansible-os-hardening/pull/150) ([kravietz](https://github.com/kravietz)) - Removal of core dump hardening configuration if core dumps are allowed [\#146](https://github.com/dev-sec/ansible-os-hardening/pull/146) ([martinbydefault](https://github.com/martinbydefault)) - add missing sysctl parameter [\#143](https://github.com/dev-sec/ansible-os-hardening/pull/143) ([rndmh3ro](https://github.com/rndmh3ro)) - update readme [\#139](https://github.com/dev-sec/ansible-os-hardening/pull/139) ([rndmh3ro](https://github.com/rndmh3ro)) +- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro)) **Fixed bugs:** @@ -184,7 +247,7 @@ **Implemented enhancements:** -- add modprobe template, control os-10 [\#138](https://github.com/dev-sec/ansible-os-hardening/pull/138) ([rndmh3ro](https://github.com/rndmh3ro)) +- install and configure auditd - fix inspec package-08 [\#144](https://github.com/dev-sec/ansible-os-hardening/pull/144) ([rndmh3ro](https://github.com/rndmh3ro)) - new task for delete netrc files, control os-09 [\#137](https://github.com/dev-sec/ansible-os-hardening/pull/137) ([rndmh3ro](https://github.com/rndmh3ro)) - add passwd task, control os-03 [\#136](https://github.com/dev-sec/ansible-os-hardening/pull/136) ([rndmh3ro](https://github.com/rndmh3ro)) - remove prelink package, control package-09 [\#135](https://github.com/dev-sec/ansible-os-hardening/pull/135) ([rndmh3ro](https://github.com/rndmh3ro)) diff --git a/ansible/roles/dev-sec.os-hardening/README.md b/ansible/roles/dev-sec.os-hardening/README.md index 5186dcb..cdc50d3 100644 --- a/ansible/roles/dev-sec.os-hardening/README.md +++ b/ansible/roles/dev-sec.os-hardening/README.md @@ -1,7 +1,6 @@ # os-hardening (Ansible Role) [![Build Status](http://img.shields.io/travis/dev-sec/ansible-os-hardening.svg)][1] -[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2] [![Ansible Galaxy](https://img.shields.io/badge/galaxy-os--hardening-660198.svg)][3] ## Description @@ -81,6 +80,8 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` | | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. | | `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. | +| `hidepid_option` | `2` | `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. | +| `proc_mnt_options` | `rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}` | Mount proc with hardenized options, including `hidepid` with variable value. | ## Packages diff --git a/ansible/roles/dev-sec.os-hardening/defaults/main.yml b/ansible/roles/dev-sec.os-hardening/defaults/main.yml index e047f49..db87948 100644 --- a/ansible/roles/dev-sec.os-hardening/defaults/main.yml +++ b/ansible/roles/dev-sec.os-hardening/defaults/main.yml @@ -278,3 +278,6 @@ os_auditd_max_log_file_action: keep_logs os_selinux_state: enforcing # Set the SELinux polixy. os_selinux_policy: targeted + +hidepid_option: '2' # allowed values: 0, 1, 2 +proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}' diff --git a/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info index 099ab8c..e635dbc 100644 --- a/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.os-hardening/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:29:23 2020 -version: 6.0.1 +install_date: Thu Feb 18 15:39:25 2021 +version: 6.2.0 diff --git a/ansible/roles/dev-sec.os-hardening/rhel6_provision.rb b/ansible/roles/dev-sec.os-hardening/rhel6_provision.rb new file mode 100644 index 0000000..169dddb --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/rhel6_provision.rb @@ -0,0 +1,7 @@ +Vagrant.configure(2) do |config| + config.vm.provision "shell", inline: <<-SHELL + rpm -i http://mirror.de.leaseweb.net/epel/6/x86_64/epel-release-6-8.noarch.rpm + sed -i 's/\\(mirrorlist=http\\)s/\\1/' /etc/yum.repos.d/epel.repo + yum install -y ansible libselinux-python + SHELL +end \ No newline at end of file diff --git a/ansible/roles/dev-sec.os-hardening/suse_provision.rb b/ansible/roles/dev-sec.os-hardening/suse_provision.rb new file mode 100644 index 0000000..5db4bd2 --- /dev/null +++ b/ansible/roles/dev-sec.os-hardening/suse_provision.rb @@ -0,0 +1,7 @@ +Vagrant.configure(2) do |config| + config.vm.provision "shell", inline: <<-SHELL + zypper -n install python2-setuptools + mkdir -p /usr/local/lib/python2.7/site-packages/ + ln -s /usr/local/bin/pip /usr/bin/ + SHELL +end \ No newline at end of file diff --git a/ansible/roles/dev-sec.os-hardening/tasks/apt.yml b/ansible/roles/dev-sec.os-hardening/tasks/apt.yml index 9eabf31..bf47469 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/apt.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/apt.yml @@ -3,4 +3,5 @@ apt: name: '{{ os_security_packages_list }}' state: 'absent' + purge: 'yes' when: os_security_packages_clean | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/auditd.yml b/ansible/roles/dev-sec.os-hardening/tasks/auditd.yml index 2ff1ed2..13a6241 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/auditd.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/auditd.yml @@ -1,5 +1,4 @@ --- - - name: install auditd package | package-08 package: name: '{{ auditd_package }}' diff --git a/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml b/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml index 3f309f0..a31123d 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/hardening.yml @@ -56,10 +56,9 @@ tags: yum - import_tasks: apt.yml - when: ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu' + when: ansible_facts.distribution in ['Debian', 'Ubuntu'] tags: apt - import_tasks: selinux.yml tags: selinux - when: - - ansible_facts.selinux.status == 'enabled' + when: ansible_facts.selinux.status == 'enabled' diff --git a/ansible/roles/dev-sec.os-hardening/tasks/limits.yml b/ansible/roles/dev-sec.os-hardening/tasks/limits.yml index 804cbad..ab7c37e 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/limits.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/limits.yml @@ -1,5 +1,4 @@ --- - - block: - name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b file: diff --git a/ansible/roles/dev-sec.os-hardening/tasks/main.yml b/ansible/roles/dev-sec.os-hardening/tasks/main.yml index 3571b6f..441fd98 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/main.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/main.yml @@ -1,4 +1,3 @@ --- - - import_tasks: hardening.yml when: os_hardening_enabled | bool diff --git a/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml b/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml index 1b5f94b..53dfeb5 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/minimize_access.yml @@ -48,3 +48,11 @@ group: 'root' mode: '0750' when: '"change_user" not in os_security_users_allow' + +- name: set option hidepid for proc filesystem + mount: + path: /proc + src: proc + fstype: proc + opts: '{{ proc_mnt_options }}' + state: present diff --git a/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml b/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml index bccb54b..5cd7434 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/modprobe.yml @@ -12,7 +12,15 @@ - name: remove vfat from fs-list if efi is used set_fact: os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}" - when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir + when: + - efi_installed.stat.isdir is defined + - efi_installed.stat.isdir + +- name: remove used filesystems from fs-list + set_fact: + os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}" + # we cannot do this on el6 and below, because these systems don't support the map function + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') - name: disable unused filesystems | os-10 template: diff --git a/ansible/roles/dev-sec.os-hardening/tasks/pam.yml b/ansible/roles/dev-sec.os-hardening/tasks/pam.yml index 1beeac4..a996729 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/pam.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/pam.yml @@ -121,6 +121,7 @@ - name: Gather package facts package_facts: manager: auto + when: ansible_facts.os_family != 'Suse' - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512 template: @@ -129,4 +130,6 @@ mode: '0640' owner: 'root' group: 'root' - when: "'libuser' in ansible_facts.packages" + when: + - ansible_facts.os_family != 'Suse' + - "'libuser' in ansible_facts.packages" diff --git a/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml b/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml index fa1afc5..7a6d83b 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/sysctl.yml @@ -13,15 +13,16 @@ owner: 'root' group: 'root' mode: '0544' - when: ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or - ansible_facts.distribution == 'CentOS' or ansible_facts.distribution == 'Amazon' + when: ansible_facts.distribution in ['Amazon', 'CentOS', 'Fedora', 'RedHat'] - name: install initramfs-tools apt: name: 'initramfs-tools' state: 'present' update_cache: true - when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading + when: + - ansible_facts.os_family == 'Debian' + - os_security_kernel_enable_module_loading - name: rebuild initramfs with starting pack of modules, if module loading at runtime is disabled template: @@ -32,7 +33,9 @@ mode: '0440' notify: - update-initramfs - when: ansible_facts.os_family == 'Debian' and os_security_kernel_enable_module_loading + when: + - ansible_facts.os_family == 'Debian' + - os_security_kernel_enable_module_loading register: initramfs - name: change sysctls @@ -60,14 +63,16 @@ reload: yes ignoreerrors: yes with_dict: '{{ sysctl_rhel_config }}' - when: ((ansible_facts.distribution == 'RedHat' or ansible_facts.distribution == 'Fedora' or ansible_facts.distribution == 'CentOS') and + when: ((ansible_facts.distribution in ['CentOS', 'Fedora', 'RedHat']) and ansible_distribution_version|int is version('7', '<')) or ansible_facts.distribution == 'Amazon' - when: ansible_virtualization_type not in ['docker', 'openvz', 'lxc'] + when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz'] - name: Apply ufw defaults template: src: 'etc/default/ufw.j2' dest: '/etc/default/ufw' - when: ufw_manage_defaults and (ansible_facts.distribution == 'Debian' or ansible_facts.distribution == 'Ubuntu') + when: + - ufw_manage_defaults + - ansible_facts.distribution in ['Debian', 'Ubuntu'] tags: ufw diff --git a/ansible/roles/dev-sec.os-hardening/tasks/yum.yml b/ansible/roles/dev-sec.os-hardening/tasks/yum.yml index 9902af6..9d6599a 100644 --- a/ansible/roles/dev-sec.os-hardening/tasks/yum.yml +++ b/ansible/roles/dev-sec.os-hardening/tasks/yum.yml @@ -3,35 +3,42 @@ file: name: '/etc/yum.repos.d/{{ item }}.repo' state: 'absent' - with_items: + loop: - 'CentOS-Debuginfo' - 'CentOS-Media' - 'CentOS-Vault' when: os_security_packages_clean | bool - name: get yum-repository-files - shell: 'find /etc/yum.repos.d/ -type f -name *.repo' - changed_when: False + find: + paths: '/etc/yum.repos.d' + patterns: '*.repo' register: yum_repos - # for the 'default([])' see here: - # https://github.com/dev-sec/ansible-os-hardening/issues/99 and - # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause - # - # failed_when is needed because by default replace module will fail if the file doesn't exists. - # status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored. - # All other errors will still be raised. +# for the 'default([])' see here: +# https://github.com/dev-sec/ansible-os-hardening/issues/99 and +# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause +- name: activate gpg-check for yum-repository-files + replace: + path: '{{ item.path }}' + regexp: '^\s*gpgcheck.*' + replace: 'gpgcheck=1' + with_items: + - '{{ yum_repos.files | default([]) }}' + +# failed_when is needed because by default replace module will fail if the file doesn't exists. +# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored. +# All other errors will still be raised. - name: activate gpg-check for config files replace: - dest: '{{ item }}' - regexp: '^\s*gpgcheck: 0' - replace: 'gpgcheck: 1' + path: '{{ item }}' + regexp: '^\s*gpgcheck\W.*' + replace: 'gpgcheck=1' register: status failed_when: status.rc is defined and status.rc != 257 - with_flattened: + loop: - '/etc/yum.conf' - '/etc/dnf/dnf.conf' - - '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104 - '/etc/yum/pluginconf.d/rhnplugin.conf' - name: remove deprecated or insecure packages | package-01 - package-09 diff --git a/ansible/roles/dev-sec.os-hardening/tests/test.yml b/ansible/roles/dev-sec.os-hardening/tests/test.yml index 3816755..dd26d0f 100644 --- a/ansible/roles/dev-sec.os-hardening/tests/test.yml +++ b/ansible/roles/dev-sec.os-hardening/tests/test.yml @@ -13,6 +13,10 @@ apt: update_cache: yes when: ansible_facts.os_family == 'Debian' + - name: install required tools on debian + apt: + name: procps + when: ansible_facts.os_family == 'Debian' - name: install required tools on fedora dnf: name: @@ -20,6 +24,9 @@ - findutils - procps-ng when: ansible_facts.distribution == 'Fedora' + - name: install required tools on SuSE + shell: "zypper -n install python-xml" + when: ansible_facts.os_family == 'Suse' - name: create recursing symlink to test minimize access shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz" vars: diff --git a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml deleted file mode 100644 index 99857c7..0000000 --- a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/changelog.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Create Changelog - -on: - pull_request: - types: [closed] - - release: - types: [published] - - issues: - types: [closed, edited] - -jobs: - generate_changelog: - runs-on: ubuntu-latest - name: Generate changelog for master branch - steps: - - uses: actions/checkout@v1 - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: push - uses: github-actions-x/commit@v2.6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update changelog' - force-add: 'true' - files: CHANGELOG.md - name: dev-sec CI - email: github@gumpri.ch diff --git a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml index 951f439..4d5fa69 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.github/workflows/release.yml @@ -25,18 +25,35 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 + uses: charmixer/auto-changelog-action@8095796 + with: + token: ${{ secrets.GITHUB_TOKEN }} + future_release: ${{ steps.version.outputs.next-version }} + + - name: Generate changelog for the release + uses: charmixer/auto-changelog-action@8095796 with: token: ${{ secrets.GITHUB_TOKEN }} since_tag: ${{ steps.previoustag.outputs.tag }} - # wait for https://github.com/CharMixer/auto-changelog-action/pull/3 - #future_release: ${{ steps.version.outputs.next-version }} + future_release: ${{ steps.version.outputs.next-version }} + output: CHANGELOGRELEASE.md + + - name: push changelog + uses: github-actions-x/commit@v2.6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + push-branch: 'master' + commit-message: 'update changelog' + force-add: 'true' + files: CHANGELOG.md + name: dev-sec CI + email: hello@dev-sec.io - name: Read CHANGELOG.md id: package uses: juliangruber/read-file-action@v1 with: - path: ./CHANGELOG.md + path: ./CHANGELOGRELEASE.md - name: Create Release draft id: create_release diff --git a/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml b/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml index 2a1dff0..2c43610 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.kitchen.vagrant.yml @@ -33,6 +33,9 @@ platforms: - name: centos-7 driver_config: box: bento/centos-7 +- name: centos-8 + driver_config: + box: bento/centos-8 - name: oracle-6 driver_config: box: bento/oracle-6 diff --git a/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml b/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml index e243825..fde7b51 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.kitchen.yml @@ -2,7 +2,16 @@ driver: name: docker use_sudo: false - privileged: true + cap_add: + - SYS_ADMIN + volume: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + run_options: + tmpfs: + - /tmp + - /run + - /run/lock + run_command: /sbin/init http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> @@ -28,72 +37,96 @@ platforms: driver: image: rndmh3ro/docker-centos6-ansible:latest platform: centos + provision_command: + - sed -i '/loginuid/d' /etc/pam.d/sshd + - name: centos7-ansible-latest driver: image: rndmh3ro/docker-centos7-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + +- name: centos8-ansible-latest + driver: + image: rndmh3ro/docker-centos8-ansible:latest + platform: centos + provision_command: + - sed -i '/nologin/d' /etc/pam.d/sshd + - systemctl enable sshd.service + provisioner: + ansible_binary_path: "/usr/local/bin" + - name: oracle6-ansible-latest driver: image: rndmh3ro/docker-oracle6-ansible:latest platform: centos + provision_command: + - sed -i '/loginuid/d' /etc/pam.d/sshd + - name: oracle7-ansible-latest driver: image: rndmh3ro/docker-oracle7-ansible:latest - run_command: /sbin/init platform: centos provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: ubuntu1604-ansible-latest driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest platform: ubuntu - run_command: /sbin/init provision_command: - systemctl enable ssh.service + - name: ubuntu1804-ansible-latest driver: image: rndmh3ro/docker-ubuntu1804-ansible:latest platform: ubuntu - run_command: /sbin/init provision_command: - systemctl enable ssh.service + - name: debian9-ansible-latest driver: image: rndmh3ro/docker-debian9-ansible:latest platform: debian - run_command: /sbin/init provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service + - name: debian10-ansible-latest driver: image: rndmh3ro/docker-debian10-ansible platform: debian - run_command: /sbin/init provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service + - name: amazon-ansible-latest driver: image: rndmh3ro/docker-amazon-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service + - name: fedora-ansible-latest driver: image: rndmh3ro/docker-fedora-ansible:latest platform: centos - run_command: /sbin/init provision_command: - - dnf install -y python - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - dnf install -y python procps-ng + - sed -i '/nologin/d' /etc/pam.d/sshd + - systemctl enable sshd.service + +- name: arch-ansible-latest + driver: + image: rndmh3ro/docker-arch-ansible:latest + platform: arch + run_command: /usr/lib/systemd/systemd + provision_command: + - sed -i '/nologin/d' /etc/pam.d/sshd - systemctl enable sshd.service verifier: diff --git a/ansible/roles/dev-sec.ssh-hardening/.travis.yml b/ansible/roles/dev-sec.ssh-hardening/.travis.yml index c21539a..391091d 100644 --- a/ansible/roles/dev-sec.ssh-hardening/.travis.yml +++ b/ansible/roles/dev-sec.ssh-hardening/.travis.yml @@ -2,53 +2,32 @@ services: docker env: - - distro: centos6 - version: latest - init: /sbin/init - - - distro: centos7 - init: /usr/lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: oracle6 - version: latest - init: /sbin/init - -# - distro: oracle7 -# init: /usr/lib/systemd/systemd -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# version: latest - - - distro: ubuntu1604 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: ubuntu1804 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian9 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian10 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: amazon - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: fedora - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + global: + - version=latest + - init=/sbin/init + - run_opts="--cap-add SYS_ADMIN" + - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro" + jobs: + - distro=centos6 + volume=":" + run_opts="" + - distro=centos7 + - distro=centos8 + - distro=oracle6 + volume=":" + run_opts="" +# - distro=oracle7 + - distro=ubuntu1604 + - distro=ubuntu1804 + - distro=debian9 + init=/lib/systemd/systemd + - distro=debian10 + - distro=amazon + - distro=fedora + init=/lib/systemd/systemd + - distro=arch + init=/usr/lib/systemd/systemd + run_opts="--privileged" before_install: # Pull container @@ -60,17 +39,14 @@ script: - container_id=$(mktemp) # Run container in detached state. - - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' + - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-ssh-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' # Test role. - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default_custom.yml --diff' - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-ssh-hardening/tests/default.yml --diff' # Verify role - # remove the UseLogin-check, see here for reasons: https://github.com/dev-sec/ansible-ssh-hardening/pull/141 - - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=sshd-01 sshd-02 sshd-03 sshd-04 sshd-05 sshd-06 sshd-07 sshd-08 sshd-09 sshd-10 sshd-11 sshd-12 sshd-13 sshd-14 sshd-15 sshd-16 sshd-17 sshd-18 sshd-19 sshd-20 sshd-21 sshd-22 sshd-23 sshd-24 sshd-25 sshd-26 sshd-27 sshd-28 sshd-29 sshd-30 sshd-31 sshd-32 sshd-33 sshd-34 sshd-35 sshd-36 sshd-37 sshd-38 sshd-39 sshd-40 sshd-41 sshd-42 sshd-43 sshd-44 sshd-45 sshd-46 sshd-47 sshd-48 --no-distinct-exit' - # remove UseRoaming and RhostsRSAAuthentication because these options are deprecated - ssh-14, ssh-15, ssh-21 - - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --controls=ssh-01 ssh-02 ssh-03 ssh-04 ssh-05 ssh-06 ssh-07 ssh-08 ssh-09 ssh-10 ssh-11 ssh-12 ssh-13 ssh-14 ssh-15 ssh-16 ssh-17 ssh-18 ssh-19 ssh-20 --no-distinct-exit' + - 'inspec exec https://github.com/dev-sec/ssh-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit' notifications: webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md b/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md index 22e13f7..dcfad78 100644 --- a/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md +++ b/ansible/roles/dev-sec.ssh-hardening/CHANGELOG.md @@ -1,8 +1,147 @@ # Changelog -## [Unreleased](https://github.com/dev-sec/ansible-ssh-hardening/tree/HEAD) +## [9.7.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.7.0) (2020-08-09) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...HEAD) +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.6.0...9.7.0) + +**Implemented enhancements:** + +- add separate option for controlling motd via pam [\#320](https://github.com/dev-sec/ansible-ssh-hardening/pull/320) ([schurzi](https://github.com/schurzi)) + +## [9.6.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.6.0) (2020-07-28) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.5.0...9.6.0) + +**Implemented enhancements:** + +- add SmartOS support [\#294](https://github.com/dev-sec/ansible-ssh-hardening/pull/294) ([aqw](https://github.com/aqw)) + +**Fixed bugs:** + +- fix local kitchen tests [\#318](https://github.com/dev-sec/ansible-ssh-hardening/pull/318) ([schurzi](https://github.com/schurzi)) +- fix sftp\_umask; store as literal not octal [\#317](https://github.com/dev-sec/ansible-ssh-hardening/pull/317) ([aqw](https://github.com/aqw)) + +**Closed issues:** + +- Make SSH banner path configurable [\#315](https://github.com/dev-sec/ansible-ssh-hardening/issues/315) + +## [9.5.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.5.0) (2020-07-27) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.4.0...9.5.0) + +**Implemented enhancements:** + +- add ssh\_banner\_path variable [\#316](https://github.com/dev-sec/ansible-ssh-hardening/pull/316) ([liteua](https://github.com/liteua)) +- rework CRYPTO\_POLICY handling for fedora [\#314](https://github.com/dev-sec/ansible-ssh-hardening/pull/314) ([schurzi](https://github.com/schurzi)) + +**Fixed bugs:** + +- network\_ipv6\_enable: true not working [\#311](https://github.com/dev-sec/ansible-ssh-hardening/issues/311) + +**Closed issues:** + +- RHEL/CentOS 8 requires removal or editing of /etc/crypto-policies/back-ends/openssh\*.config [\#275](https://github.com/dev-sec/ansible-ssh-hardening/issues/275) + +**Merged pull requests:** + +- improve testing in kitchen and travis [\#313](https://github.com/dev-sec/ansible-ssh-hardening/pull/313) ([schurzi](https://github.com/schurzi)) + +## [9.4.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.4.0) (2020-07-21) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.3.0...9.4.0) + +**Implemented enhancements:** + +- Add CentOS 8 support for ansible-ssh-hardening [\#247](https://github.com/dev-sec/ansible-ssh-hardening/issues/247) +- adding specific things for IPv6 support [\#312](https://github.com/dev-sec/ansible-ssh-hardening/pull/312) ([altf4arnold](https://github.com/altf4arnold)) +- add support for CentOS8 [\#309](https://github.com/dev-sec/ansible-ssh-hardening/pull/309) ([schurzi](https://github.com/schurzi)) +- README: New section on server port and idempotency [\#307](https://github.com/dev-sec/ansible-ssh-hardening/pull/307) ([nununo](https://github.com/nununo)) + +**Fixed bugs:** + +- CBC Ciphers should be disabled by default. [\#308](https://github.com/dev-sec/ansible-ssh-hardening/issues/308) + +**Closed issues:** + +- Idempotency when changing sshd ports [\#299](https://github.com/dev-sec/ansible-ssh-hardening/issues/299) +- Simplify crypto.yml checks with blocks [\#256](https://github.com/dev-sec/ansible-ssh-hardening/issues/256) +- Possibility for customising host key algorithms? [\#243](https://github.com/dev-sec/ansible-ssh-hardening/issues/243) + +## [9.3.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.3.0) (2020-07-09) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.2.0...9.3.0) + +**Implemented enhancements:** + +- Add support for X11 configuration [\#297](https://github.com/dev-sec/ansible-ssh-hardening/issues/297) +- add blocks to crypto.yml checks [\#305](https://github.com/dev-sec/ansible-ssh-hardening/pull/305) ([schurzi](https://github.com/schurzi)) +- fix typo in hardening.yml [\#304](https://github.com/dev-sec/ansible-ssh-hardening/pull/304) ([schurzi](https://github.com/schurzi)) +- allow customization of X11Forwarding [\#300](https://github.com/dev-sec/ansible-ssh-hardening/pull/300) ([divialth](https://github.com/divialth)) + +**Fixed bugs:** + +- fix package install in tests [\#301](https://github.com/dev-sec/ansible-ssh-hardening/pull/301) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Closed issues:** + +- Typo in hardening.yml [\#303](https://github.com/dev-sec/ansible-ssh-hardening/issues/303) +- Task create sshd\_config and set permissions fails [\#302](https://github.com/dev-sec/ansible-ssh-hardening/issues/302) + +## [9.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.2.0) (2020-06-25) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.1.1...9.2.0) + +**Implemented enhancements:** + +- Add RHEL 8 Support [\#261](https://github.com/dev-sec/ansible-ssh-hardening/issues/261) +- Add option to create 'LocalPort' match blocks [\#295](https://github.com/dev-sec/ansible-ssh-hardening/pull/295) ([aisbergg](https://github.com/aisbergg)) +- Add archlinux support [\#291](https://github.com/dev-sec/ansible-ssh-hardening/pull/291) ([djesionek](https://github.com/djesionek)) +- Harmonize style [\#290](https://github.com/dev-sec/ansible-ssh-hardening/pull/290) ([aisbergg](https://github.com/aisbergg)) + +**Merged pull requests:** + +- add centos 8 to meta [\#298](https://github.com/dev-sec/ansible-ssh-hardening/pull/298) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [9.1.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.1.1) (2020-06-06) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.1.0...9.1.1) + +**Implemented enhancements:** + +- unify changelog and release actions [\#289](https://github.com/dev-sec/ansible-ssh-hardening/pull/289) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Fixed bugs:** + +- AllowTCPForwarding set to `no` although I have `ssh\_allow\_tcp\_forwarding: yes` [\#286](https://github.com/dev-sec/ansible-ssh-hardening/issues/286) +- `ssh\_allow\_tcp\_forwarding`: use quotes for values [\#288](https://github.com/dev-sec/ansible-ssh-hardening/pull/288) ([jeanmonet](https://github.com/jeanmonet)) + +## [9.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.1.0) (2020-06-02) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/9.0.0...9.1.0) + +**Implemented enhancements:** + +- allow customization of login gracetime and max sessins [\#287](https://github.com/dev-sec/ansible-ssh-hardening/pull/287) ([chris-rock](https://github.com/chris-rock)) + +## [9.0.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/9.0.0) (2020-05-18) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.1.0...9.0.0) + +**Breaking changes:** + +- make ssh client-side compression configurable [\#284](https://github.com/dev-sec/ansible-ssh-hardening/pull/284) ([aqw](https://github.com/aqw)) + +**Fixed bugs:** + +- Disable Ubuntu dynamic login MOTD [\#271](https://github.com/dev-sec/ansible-ssh-hardening/issues/271) + +**Closed issues:** + +- Ubuntu disable dynamic MOTD failing [\#283](https://github.com/dev-sec/ansible-ssh-hardening/issues/283) + +## [8.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/8.1.0) (2020-05-09) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/8.0.0...8.1.0) **Implemented enhancements:** @@ -377,7 +516,6 @@ **Implemented enhancements:** - CentOS 7 selinux dependencies [\#76](https://github.com/dev-sec/ansible-ssh-hardening/issues/76) -- install selinux dependencies, check for already installed semodule [\#79](https://github.com/dev-sec/ansible-ssh-hardening/pull/79) ([rndmh3ro](https://github.com/rndmh3ro)) - Parameterise Banner and DebianBanner as defaults [\#77](https://github.com/dev-sec/ansible-ssh-hardening/pull/77) ([tsenart](https://github.com/tsenart)) **Fixed bugs:** @@ -386,6 +524,10 @@ - Selinux issue [\#75](https://github.com/dev-sec/ansible-ssh-hardening/issues/75) - Running the tests locally [\#61](https://github.com/dev-sec/ansible-ssh-hardening/issues/61) +**Closed issues:** + +- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28) + ## [3.1.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/3.1.0) (2016-08-03) [Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/3.1...3.1.0) @@ -401,6 +543,7 @@ **Implemented enhancements:** - Add Xenial / Ubuntu 16.04 LTS to meta/main.yml [\#63](https://github.com/dev-sec/ansible-ssh-hardening/issues/63) +- install selinux dependencies, check for already installed semodule [\#79](https://github.com/dev-sec/ansible-ssh-hardening/pull/79) ([rndmh3ro](https://github.com/rndmh3ro)) - Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 [\#73](https://github.com/dev-sec/ansible-ssh-hardening/pull/73) ([atomic111](https://github.com/atomic111)) - add docker support [\#71](https://github.com/dev-sec/ansible-ssh-hardening/pull/71) ([rndmh3ro](https://github.com/rndmh3ro)) - add always\_run: true to task. fix \#64 [\#69](https://github.com/dev-sec/ansible-ssh-hardening/pull/69) ([rndmh3ro](https://github.com/rndmh3ro)) @@ -462,19 +605,19 @@ ## [1.2.1](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.1) (2015-10-16) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.1) +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2.1) **Merged pull requests:** - Allow whitelisted groups on ssh [\#40](https://github.com/dev-sec/ansible-ssh-hardening/pull/40) ([fheinle](https://github.com/fheinle)) -## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28) - -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2.0...1.2) - ## [1.2.0](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2.0) (2015-09-28) -[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2.0) +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.2...1.2.0) + +## [1.2](https://github.com/dev-sec/ansible-ssh-hardening/tree/1.2) (2015-09-28) + +[Full Changelog](https://github.com/dev-sec/ansible-ssh-hardening/compare/1.1.0...1.2) **Merged pull requests:** @@ -493,9 +636,7 @@ **Closed issues:** - ssh\_ports - individual client/server config [\#33](https://github.com/dev-sec/ansible-ssh-hardening/issues/33) -- Applied-Crypto-Hardening project and new cyphers. [\#28](https://github.com/dev-sec/ansible-ssh-hardening/issues/28) - UsePAM should probably default to yes on Red Hat Linux 7 [\#23](https://github.com/dev-sec/ansible-ssh-hardening/issues/23) -- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2) **Merged pull requests:** @@ -527,6 +668,7 @@ - add travis test for ubuntu 12.04 [\#7](https://github.com/dev-sec/ansible-ssh-hardening/issues/7) - Use handler for sshd restart [\#6](https://github.com/dev-sec/ansible-ssh-hardening/issues/6) +- Running test-kitchen fails [\#2](https://github.com/dev-sec/ansible-ssh-hardening/issues/2) **Merged pull requests:** diff --git a/ansible/roles/dev-sec.ssh-hardening/README.md b/ansible/roles/dev-sec.ssh-hardening/README.md index cd61aec..c1d02e9 100644 --- a/ansible/roles/dev-sec.ssh-hardening/README.md +++ b/ansible/roles/dev-sec.ssh-hardening/README.md @@ -1,12 +1,11 @@ # ssh-hardening (Ansible Role) [![Build Status](http://img.shields.io/travis/dev-sec/ansible-ssh-hardening.svg)][1] -[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2] [![Ansible Galaxy](https://img.shields.io/badge/galaxy-ssh--hardening-660198.svg)][3] ## Description -This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the [DevSec SSH Baseline](https://github.com/dev-sec/ssh-baseline). +This role provides secure ssh-client and ssh-server configurations. It is intended to be compliant with the [DevSec SSH Baseline](https://github.com/dev-sec/ssh-baseline). Warning: This role disables root-login on the target server! Please make sure you have another user with su or sudo permissions that can login into the server. @@ -17,10 +16,10 @@ Warning: This role disables root-login on the target server! Please make sure yo ## Role Variables | Name | Default Value | Description | | -------------- | ------------- | -----------------------------------| -|`network_ipv6_enable` | false |true if IPv6 is needed| +|`network_ipv6_enable` | false |true if IPv6 is needed. `ssh_listen_to` must also be set to listen to IPv6 addresses (for example `[::]`).| |`ssh_server_ports` | ['22'] |ports on which ssh-server should listen| |`ssh_client_port` | '22' |port to which ssh-client should connect| -|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all adresseses, but should be configured to specific addresses for security reasons!| +|`ssh_listen_to` | ['0.0.0.0'] |one or more ip addresses, to which ssh-server should listen to. Default is all IPv4 adresses, but should be configured to specific addresses for security reasons!| |`ssh_host_key_files` | [] |Host keys for sshd. If empty ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] will be used, as far as supported by the installed sshd version| |`ssh_host_key_algorithms` | [] | Host key algorithms that the server offers. If empty the [default list](https://man.openbsd.org/sshd_config#HostKeyAlgorithms) will be used, otherwise overrides the setting with specified list of algorithms| |`ssh_client_alive_interval` | 600 | specifies an interval for sending keepalive messages | @@ -28,9 +27,10 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_permit_tunnel` | false | true if SSH Port Tunneling is required | |`ssh_remote_hosts` | [] | one or more hosts and their custom options for the ssh-client. Default is empty. See examples in `defaults/main.yml`.| |`ssh_permit_root_login` | no | Disable root-login. Set to `without-password` or `yes` to enable root-login | -|`ssh_allow_tcp_forwarding` | no | `no` to disable TCP Forwarding. Set to `yes` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `yes`, `no`, `all` or `local`| +|`ssh_allow_tcp_forwarding` | no | `'no'` to disable TCP Forwarding. Set to `'yes'` to allow TCP Forwarding. If you are using OpenSSH >= 6.2 version, you can specify `'yes'`, `'no'`, `'all'` or `'local'`.
*Note*: values passed to this variable must be strings, thus values `'yes'` and `'no'` should be passed with quotes. | |`ssh_gateway_ports` | `false` | `false` to disable binding forwarded ports to non-loopback addresses. Set to `true` to force binding on wildcard address. Set to `clientspecified` to allow the client to specify which address to bind to.| |`ssh_allow_agent_forwarding` | false | false to disable Agent Forwarding. Set to true to allow Agent Forwarding.| +|`ssh_x11_forwarding` | false | false to disable X11 Forwarding. Set to true to allow X11 Forwarding.| |`ssh_pam_support` | true | true if SSH has PAM support.| |`ssh_use_pam` | true | false to disable pam authentication.| |`ssh_gssapi_support` | false | true if SSH has GSSAPI support.| @@ -45,9 +45,10 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_authorized_principals_file` | '' | specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set. | |`ssh_authorized_principals` | [] | list of hashes containing file paths and authorized principals, see default_custom.yml for all options. Only used if ssh_authorized_principals_file is set. | |`ssh_print_motd` | false | false to disable printing of the MOTD| +|`ssh_print_pam_motd` | false | false to disable printing of the MOTD via pam (Debian and Ubuntu)| |`ssh_print_last_log` | false | false to disable display of last login information| |`sftp_enabled` | false | true to enable sftp configuration| -|`sftp_umask` | 0027 | Specifies the umask for sftp| +|`sftp_umask` | '0027' | Specifies the umask for sftp| |`sftp_chroot` | true | false to disable chroot for sftp| |`sftp_chroot_dir` | /home/%u | change default sftp chroot location| |`ssh_client_roaming` | false | enable experimental client roaming| @@ -57,16 +58,21 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_client_password_login` | false | `true` to allow password-based authentication with the ssh client | |`ssh_server_password_login` | false | `true` to allow password-based authentication with the ssh server | |`ssh_banner` | `false` | `true` to print a banner on login | +|`ssh_banner_path`| '/etc/sshd/banner.txt' | path to the SSH banner file | |`ssh_client_hardening` | `true` | `false` to stop harden the client | |`ssh_client_port` | `'22'` | Specifies the port number to connect on the remote host. | -|`ssh_compression` | `false` | Specifies whether compression is enabled after the user has authenticated successfully. | +|`ssh_client_compression` | `false` | Specifies whether the client requests compression. | +|`ssh_compression` | `false` | Specifies whether server-side compression is enabled after the user has authenticated successfully. | +|`ssh_login_grace_time` | `30s` | specifies the time allowed for successful authentication to the SSH server | |`ssh_max_auth_retries` | `2` | Specifies the maximum number of authentication attempts permitted per connection. | +|`ssh_max_sessions` | `10` | Specifies the maximum number of open sessions permitted from a given connection. | |`ssh_print_debian_banner` | `false` | `true` to print debian specific banner | |`ssh_server_enabled` | `true` | `false` to disable the opensshd server | |`ssh_server_hardening` | `true` | `false` to stop harden the server | |`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | +|`ssh_server_match_local_port` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings | |`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace | |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. | @@ -99,6 +105,12 @@ Example playbook: - "AcceptEnv LANG" ``` +## Changing the default port and idempotency + +This role uses the default port 22 or the port configured in the inventory to connect to the server. If the default `ssh` port is changed via `ssh_server_ports`, once the ssh server is restarted, it will still try to connect using the previous port. In order to run this role again on the same server the inventory will have to be updated to use the new ssh port. + +If idempotency is important, please consider using role [`ssh-hardening-fallback`](https://github.com/nununo/ansible-ssh-hardening-fallback), which is a wrapper around this role that falls back to port 22 if the configured port is unreachable. + ## Example Playbook - hosts: localhost @@ -120,6 +132,7 @@ bundle install ``` ### Testing with Docker + ``` # fast test on one machine bundle exec kitchen test ssh-ubuntu1804-ansible-latest diff --git a/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml b/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml index 865bf18..aeb0198 100644 --- a/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/defaults/main.yml @@ -1,48 +1,55 @@ # true if IPv6 is needed -network_ipv6_enable: false # sshd + ssh +network_ipv6_enable: false # sshd + ssh # true if sshd should be started and enabled -ssh_server_enabled: true # sshd +ssh_server_enabled: true # sshd # true if DNS resolutions are needed, look up the remote host name, defaults to false from 6.8, see: http://www.openssh.com/txt/release-6.8 -ssh_use_dns: false # sshd +ssh_use_dns: false # sshd # true or value if compression is needed -ssh_compression: false # sshd +ssh_client_compression: false # ssh +ssh_compression: false # sshd # For which components (client and server) to generate the configuration for. Can be useful when running against a client without an SSH server. ssh_client_hardening: true # ssh ssh_server_hardening: true # sshd # If true, password login is allowed -ssh_client_password_login: false # ssh -ssh_server_password_login: false # sshd +ssh_client_password_login: false # ssh +ssh_server_password_login: false # sshd # ports on which ssh-server should listen -ssh_server_ports: ['22'] # sshd +ssh_server_ports: ['22'] # sshd # port to which ssh-client should connect -ssh_client_port: '22' # ssh +ssh_client_port: '22' # ssh # one or more ip addresses, to which ssh-server should listen to. Default is empty, but should be configured for security reasons! -ssh_listen_to: ['0.0.0.0'] # sshd +ssh_listen_to: ['0.0.0.0'] # sshd # Host keys to look for when starting sshd. -ssh_host_key_files: [] # sshd +ssh_host_key_files: [] # sshd # Specifies the host key algorithms that the server offers -ssh_host_key_algorithms: [] # sshd +ssh_host_key_algorithms: [] # sshd + +# specifies the time allowed for successful authentication to the SSH server +ssh_login_grace_time: 30s # Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. ssh_max_auth_retries: 2 -ssh_client_alive_interval: 300 # sshd -ssh_client_alive_count: 3 # sshd +# Specifies the maximum number of open sessions permitted from a given connection +ssh_max_sessions: 10 + +ssh_client_alive_interval: 300 # sshd +ssh_client_alive_count: 3 # sshd # Allow SSH Tunnels ssh_permit_tunnel: false -# Hosts with custom options. # ssh +# Hosts with custom options. # ssh # Example: # ssh_remote_hosts: # - names: ['example.com', 'example2.com'] @@ -52,23 +59,26 @@ ssh_permit_tunnel: false ssh_remote_hosts: [] # Set this to "without-password" or "yes" to allow root to login -ssh_permit_root_login: 'no' # sshd +ssh_permit_root_login: 'no' # sshd # false to disable TCP Forwarding. Set to true to allow TCP Forwarding. -ssh_allow_tcp_forwarding: 'no' # sshd +ssh_allow_tcp_forwarding: 'no' # sshd # false to disable binding forwarded ports to non-loopback addresses. Set to true to force binding on wildcard address. # Set to 'clientspecified' to allow the client to specify which address to bind to. -ssh_gateway_ports: false # sshd +ssh_gateway_ports: false # sshd # false to disable Agent Forwarding. Set to true to allow Agent Forwarding. -ssh_allow_agent_forwarding: false # sshd +ssh_allow_agent_forwarding: false # sshd + +# false to disable X11 Forwarding. Set to true to allow X11 Forwarding. +ssh_x11_forwarding: false # sshd # true if SSH has PAM support ssh_pam_support: true # false to disable pam authentication. -ssh_use_pam: true # sshd +ssh_use_pam: true # sshd # specify AuthenticationMethods sshd_authenticationmethods: 'publickey' @@ -80,29 +90,29 @@ ssh_gssapi_support: false ssh_kerberos_support: true # if specified, login is disallowed for user names that match one of the patterns. -ssh_deny_users: '' # sshd +ssh_deny_users: '' # sshd # if specified, login is allowed only for user names that match one of the patterns. -ssh_allow_users: '' # sshd +ssh_allow_users: '' # sshd # if specified, login is disallowed for users whose primary group or supplementary group list matches one of the patterns. -ssh_deny_groups: '' # sshd +ssh_deny_groups: '' # sshd # if specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. -ssh_allow_groups: '' # sshd +ssh_allow_groups: '' # sshd # change default file that contains the public keys that can be used for user authentication. -ssh_authorized_keys_file: '' # sshd +ssh_authorized_keys_file: '' # sshd # specifies the file containing trusted certificate authorities public keys used to sign user certificates. -ssh_trusted_user_ca_keys_file: '' # sshd +ssh_trusted_user_ca_keys_file: '' # sshd # set the trusted certificate authorities public keys used to sign user certificates. # Example: # ssh_trusted_user_ca_keys: # - 'ssh-rsa ... comment1' # - 'ssh-rsa ... comment2' -ssh_trusted_user_ca_keys: [] # sshd +ssh_trusted_user_ca_keys: [] # sshd # specifies the file containing principals that are allowed. Only used if ssh_trusted_user_ca_keys_file is set. # Example: @@ -112,26 +122,30 @@ ssh_trusted_user_ca_keys: [] # sshd # replaced by the username of that user. After expansion, the path is taken to be # an absolute path or one relative to the user's home directory. # -ssh_authorized_principals_file: '' # sshd +ssh_authorized_principals_file: '' # sshd # list of hashes containing file paths and authorized principals. Only used if ssh_authorized_principals_file is set. # Example: # ssh_authorized_principals: # - { path: '/etc/ssh/auth_principals/root', principals: [ 'root' ], owner: "{{ ssh_owner }}", group: "{{ ssh_group }}", directoryowner: "{{ ssh_owner }}", directorygroup: "{{ ssh_group}}" } # - { path: '/etc/ssh/auth_principals/myuser', principals: [ 'masteradmin', 'webserver' ] } -ssh_authorized_principals: [] # sshd +ssh_authorized_principals: [] # sshd # false to disable printing of the MOTD -ssh_print_motd: false # sshd +ssh_print_motd: false # sshd +ssh_print_pam_motd: false # sshd # false to disable display of last login information -ssh_print_last_log: false # sshd +ssh_print_last_log: false # sshd -# false to disable serving /etc/ssh/banner.txt before authentication is allowed -ssh_banner: false # sshd +# false to disable serving ssh warning banner before authentication is allowed +ssh_banner: false # sshd + +# path to file with ssh warning banner +ssh_banner_path: '/etc/ssh/banner.txt' # false to disable distribution version leakage during initial protocol handshake -ssh_print_debian_banner: false # sshd (Debian OS family only) +ssh_print_debian_banner: false # sshd (Debian OS family only) # true to enable sftp configuration sftp_enabled: false @@ -140,7 +154,7 @@ sftp_enabled: false sftp_chroot: true # sftp default umask -sftp_umask: 0027 +sftp_umask: '0027' # change default sftp chroot location sftp_chroot_dir: /home/%u @@ -148,20 +162,23 @@ sftp_chroot_dir: /home/%u # enable experimental client roaming ssh_client_roaming: false -# list of hashes (containing user and rules) to generate Match User blocks for. -ssh_server_match_user: false # sshd +# list of hashes (containing user and rules) to generate Match User blocks for +ssh_server_match_user: false # sshd -# list of hashes (containing group and rules) to generate Match Group blocks for. -ssh_server_match_group: false # sshd +# list of hashes (containing group and rules) to generate Match Group blocks for +ssh_server_match_group: false # sshd -# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for. -ssh_server_match_address: false # sshd +# list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for +ssh_server_match_address: false # sshd + +# list of hashes (containing port and rules) to generate Match LocalPort blocks for +ssh_server_match_local_port: false # sshd ssh_server_permit_environment_vars: 'no' -ssh_server_accept_env_vars : '' +ssh_server_accept_env_vars: '' # maximum number of concurrent unauthenticated connections to the SSH daemon -ssh_max_startups: '10:30:100' # sshd +ssh_max_startups: '10:30:100' # sshd ssh_ps53: 'yes' ssh_ps59: 'sandbox' @@ -249,3 +266,7 @@ sshd_syslog_facility: 'AUTH' sshd_log_level: 'VERBOSE' sshd_strict_modes: yes + +# disable CRYPTO_POLICY to take settings from sshd configuration +# see: https://access.redhat.com/solutions/4410591 +sshd_disable_crypto_policy: true diff --git a/ansible/roles/dev-sec.ssh-hardening/files/sshd b/ansible/roles/dev-sec.ssh-hardening/files/sshd new file mode 100644 index 0000000..085c208 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/files/sshd @@ -0,0 +1,17 @@ +# Configuration file for the sshd service. + +# The server keys are automatically generated if they are missing. +# To change the automatic creation, adjust sshd.service options for +# example using systemctl enable sshd-keygen@dsa.service to allow creation +# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key +# creation. + +# Do not change this option unless you have hardware random +# generator and you REALLY know what you are doing + +SSH_USE_STRONG_RNG=0 +# SSH_USE_STRONG_RNG=1 + +# System-wide crypto policy: +# To opt-out, uncomment the following line +CRYPTO_POLICY= diff --git a/ansible/roles/dev-sec.ssh-hardening/handlers/main.yml b/ansible/roles/dev-sec.ssh-hardening/handlers/main.yml index 2b39da5..7cc0fde 100644 --- a/ansible/roles/dev-sec.ssh-hardening/handlers/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/handlers/main.yml @@ -1,4 +1,6 @@ - name: restart sshd - service: name={{ sshd_service_name }} state=restarted - when: "(ssh_server_enabled|bool)" + service: + name: '{{ sshd_service_name }}' + state: restarted + when: ssh_server_enabled | bool become: yes diff --git a/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info b/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info index b8b48bf..51f79a5 100644 --- a/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info +++ b/ansible/roles/dev-sec.ssh-hardening/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:29:21 2020 -version: 8.1.0 +install_date: Thu Feb 18 15:39:23 2021 +version: 9.7.0 diff --git a/ansible/roles/dev-sec.ssh-hardening/meta/main.yml b/ansible/roles/dev-sec.ssh-hardening/meta/main.yml index 2f7eb5a..9b997db 100644 --- a/ansible/roles/dev-sec.ssh-hardening/meta/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/meta/main.yml @@ -10,6 +10,7 @@ galaxy_info: versions: - 6 - 7 + - 8 - name: Ubuntu versions: - xenial @@ -20,6 +21,8 @@ galaxy_info: - buster - name: Amazon - name: Fedora + - name: Archlinux + - name: SmartOS galaxy_tags: - system - security diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml index d628461..54b5635 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/ca_keys_and_principals.yml @@ -1,5 +1,5 @@ --- -- name: Set ssh CA pub keys +- name: set ssh CA pub keys template: src: 'trusted_user_ca_keys.j2' dest: '{{ ssh_trusted_user_ca_keys_file }}' @@ -8,20 +8,20 @@ group: '{{ ssh_group }}' notify: restart sshd -- name: Create ssh authorized principals directories +- name: create ssh authorized principals directories file: path: '{{ item.path | dirname }}' mode: '{{ item.directorymode | default(0700) }}' owner: '{{ item.directoryowner | default(ssh_owner) }}' group: '{{ item.directorygroup | default(ssh_group) }}' state: directory - with_items: '{{ ssh_authorized_principals }}' + loop: '{{ ssh_authorized_principals }}' -- name: Set ssh authorized principals +- name: set ssh authorized principals template: src: 'authorized_principals.j2' dest: '{{ item.path }}' mode: '{{ item.filemode | default(0600) }}' owner: '{{ item.owner| default(ssh_owner) }}' group: '{{ item.group | default(ssh_group) }}' - with_items: '{{ ssh_authorized_principals }}' + loop: '{{ ssh_authorized_principals }}' diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml deleted file mode 100644 index 364f6b7..0000000 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto.yml +++ /dev/null @@ -1,75 +0,0 @@ ---- - -- name: set hostkeys according to openssh-version - set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key'] - when: sshd_version is version('6.3', '>=') and not ssh_host_key_files - -- name: set hostkeys according to openssh-version - set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_ecdsa_key'] - when: sshd_version is version('6.0', '>=') and not ssh_host_key_files - -- name: set hostkeys according to openssh-version - set_fact: - ssh_host_key_files: ['/etc/ssh/ssh_host_rsa_key'] - when: sshd_version is version('5.3', '>=') and not ssh_host_key_files - -### - -- name: set macs according to openssh-version if openssh >= 7.6 - set_fact: - ssh_macs: '{{ ssh_macs_76_default }}' - when: sshd_version is version('7.6', '>=') and not ssh_macs - -- name: set macs according to openssh-version if openssh >= 6.6 - set_fact: - ssh_macs: '{{ ssh_macs_66_default }}' - when: sshd_version is version('6.6', '>=') and not ssh_macs - -- name: set macs according to openssh-version - set_fact: - ssh_macs: '{{ ssh_macs_59_default }}' - when: sshd_version is version('5.9', '>=') and not ssh_macs - -- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports) - set_fact: - ssh_macs: '{{ ssh_macs_53_el_6_5_default }}' - when: - - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat'] - - ansible_facts.distribution_version is version('6.5', '>=') - - not ssh_macs - -- name: set macs according to openssh-version - set_fact: - ssh_macs: '{{ ssh_macs_53_default }}' - when: sshd_version is version('5.3', '>=') and not ssh_macs - -### - -- name: set ciphers according to openssh-version if openssh >= 6.6 - set_fact: - ssh_ciphers: '{{ ssh_ciphers_66_default }}' - when: sshd_version is version('6.6', '>=') and not ssh_ciphers - -- name: set ciphers according to openssh-version - set_fact: - ssh_ciphers: '{{ ssh_ciphers_53_default }}' - when: sshd_version is version('5.3', '>=') and not ssh_ciphers - -### - -- name: set kex according to openssh-version if openssh >= 8.0 - set_fact: - ssh_kex: '{{ ssh_kex_80_default }}' - when: sshd_version is version('8.0', '>=') and not ssh_kex - -- name: set kex according to openssh-version if openssh >= 6.6 - set_fact: - ssh_kex: '{{ ssh_kex_66_default }}' - when: sshd_version is version('6.6', '>=') and not ssh_kex - -- name: set kex according to openssh-version - set_fact: - ssh_kex: '{{ ssh_kex_59_default }}' - when: sshd_version is version('5.9', '>=') and not ssh_kex diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml new file mode 100644 index 0000000..45344c4 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_ciphers.yml @@ -0,0 +1,10 @@ +--- +- name: set ciphers according to openssh-version if openssh >= 5.3 + set_fact: + ssh_ciphers: '{{ ssh_ciphers_53_default }}' + when: sshd_version is version('5.3', '>=') + +- name: set ciphers according to openssh-version if openssh >= 6.6 + set_fact: + ssh_ciphers: '{{ ssh_ciphers_66_default }}' + when: sshd_version is version('6.6', '>=') diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml new file mode 100644 index 0000000..76ff7ad --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_hostkeys.yml @@ -0,0 +1,21 @@ +--- +- name: set hostkeys according to openssh-version if openssh >= 5.3 + set_fact: + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + when: sshd_version is version('5.3', '>=') + +- name: set hostkeys according to openssh-version if openssh >= 6.0 + set_fact: + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" + when: sshd_version is version('6.0', '>=') + +- name: set hostkeys according to openssh-version if openssh >= 6.3 + set_fact: + ssh_host_key_files: + - "{{ ssh_host_keys_dir }}/ssh_host_rsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ecdsa_key" + - "{{ ssh_host_keys_dir }}/ssh_host_ed25519_key" + when: sshd_version is version('6.3', '>=') diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml new file mode 100644 index 0000000..e55e721 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_kex.yml @@ -0,0 +1,15 @@ +--- +- name: set kex according to openssh-version if openssh >= 5.9 + set_fact: + ssh_kex: '{{ ssh_kex_59_default }}' + when: sshd_version is version('5.9', '>=') + +- name: set kex according to openssh-version if openssh >= 6.6 + set_fact: + ssh_kex: '{{ ssh_kex_66_default }}' + when: sshd_version is version('6.6', '>=') + +- name: set kex according to openssh-version if openssh >= 8.0 + set_fact: + ssh_kex: '{{ ssh_kex_80_default }}' + when: sshd_version is version('8.0', '>=') diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml new file mode 100644 index 0000000..f4cdf54 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/crypto_macs.yml @@ -0,0 +1,27 @@ +--- +- name: set macs according to openssh-version if openssh >= 5.3 + set_fact: + ssh_macs: '{{ ssh_macs_53_default }}' + when: sshd_version is version('5.3', '>=') + +- name: set macs for Enterprise Linux >= 6.5 (openssh 5.3 with backports) + set_fact: + ssh_macs: '{{ ssh_macs_53_el_6_5_default }}' + when: + - ansible_facts.distribution in ['CentOS', 'OracleLinux', 'RedHat'] + - ansible_facts.distribution_version is version('6.5', '>=') + +- name: set macs according to openssh-version if openssh >= 5.9 + set_fact: + ssh_macs: '{{ ssh_macs_59_default }}' + when: sshd_version is version('5.9', '>=') + +- name: set macs according to openssh-version if openssh >= 6.6 + set_fact: + ssh_macs: '{{ ssh_macs_66_default }}' + when: sshd_version is version('6.6', '>=') + +- name: set macs according to openssh-version if openssh >= 7.6 + set_fact: + ssh_macs: '{{ ssh_macs_76_default }}' + when: sshd_version is version('7.6', '>=') diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml index 02be78f..705840e 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/hardening.yml @@ -1,11 +1,11 @@ --- -- name: Set OS dependent variables +- name: set OS dependent variables include_vars: '{{ item }}' with_first_found: - - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' - - '{{ ansible_facts.distribution }}.yml' - - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' - - '{{ ansible_facts.os_family }}.yml' + - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' - name: get openssh-version command: ssh -V @@ -17,8 +17,21 @@ set_fact: sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}" -- name: include tasks to create crypo-vars - include_tasks: crypto.yml +- name: set default for ssh_host_key_files if not supplied + include_tasks: crypto_hostkeys.yml + when: not ssh_host_key_files + +- name: set default for ssh_macs if not supplied + include_tasks: crypto_macs.yml + when: not ssh_macs + +- name: set default for ssh_ciphers if not supplied + include_tasks: crypto_ciphers.yml + when: not ssh_ciphers + +- name: set default for ssh_kex if not supplied + include_tasks: crypto_kex.yml + when: not ssh_kex - name: create revoked_keys and set permissions to root/600 template: @@ -37,7 +50,7 @@ mode: '0600' owner: '{{ ssh_owner }}' group: '{{ ssh_group }}' - validate: '/usr/sbin/sshd -T -C user=root -C host=localhost -C addr=localhost -f %s' + validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s' notify: restart sshd when: ssh_server_hardening | bool @@ -48,10 +61,11 @@ control: optional module_path: pam_motd.so state: absent + backup: yes when: - ssh_server_hardening | bool - ssh_pam_support | bool - - not (ssh_print_motd | bool) + - not (ssh_print_pam_motd | bool) - name: create ssh_config and set permissions to root/644 template: @@ -62,7 +76,7 @@ group: '{{ ssh_group }}' when: ssh_client_hardening | bool -- name: Check if {{ sshd_moduli_file }} contains weak DH parameters +- name: check if {{ sshd_moduli_file }} contains weak DH parameters shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} register: sshd_register_moduli changed_when: false @@ -84,3 +98,17 @@ - name: include selinux specific tasks include_tasks: selinux.yml when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled" + +- name: gather package facts + package_facts: + check_mode: no + when: + - sshd_disable_crypto_policy | bool + +- name: disable SSH server CRYPTO_POLICY + copy: + src: sshd + dest: /etc/sysconfig/sshd + when: + - sshd_disable_crypto_policy | bool + - ('crypto-policies' in ansible_facts.packages) diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml index 32f9d02..a62da78 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/main.yml @@ -1,4 +1,3 @@ --- - - include_tasks: hardening.yml when: ssh_hardening_enabled | bool diff --git a/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml b/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml index 43b8d08..f08f5af 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tasks/selinux.yml @@ -4,14 +4,13 @@ name: '{{ ssh_selinux_packages }}' state: present -- name: "authorize {{ ssh_server_ports }} ports for selinux" +- name: authorize {{ ssh_server_ports }} ports for selinux seport: ports: '{{ item }}' proto: tcp setype: ssh_port_t state: present - with_items: - - "{{ ssh_server_ports }}" + loop: '{{ ssh_server_ports }}' - name: check if ssh_password module is already installed shell: 'set -o pipefail && semodule -l | grep ssh_password' @@ -22,35 +21,41 @@ changed_when: false check_mode: no -# The following tasks only get executed when selinux is in state enforcing, UsePam is 'no' and the ssh_password module is installed. -# See this issue for more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23 -- block: - - name: Create selinux custom policy drop folder - file: - path: '{{ ssh_custom_selinux_dir }}' - state: 'directory' - owner: 'root' - group: 'root' - mode: '0750' +# The following tasks only get executed when selinux is in state enforcing, +# UsePam is 'no' and the ssh_password module is not installed. See this issue for +# more info: https://github.com/hardening-io/ansible-ssh-hardening/issues/23 +- when: + - not (ssh_use_pam | bool) + - ('ssh_password' not in ssh_password_module.stdout) + block: + - name: create selinux custom policy drop folder + file: + path: '{{ ssh_custom_selinux_dir }}' + state: 'directory' + owner: 'root' + group: 'root' + mode: '0750' - - name: Distributing custom selinux policies - copy: - src: 'ssh_password' - dest: '{{ ssh_custom_selinux_dir }}' + - name: distributing custom selinux policies + copy: + src: 'ssh_password' + dest: '{{ ssh_custom_selinux_dir }}' - - name: check and compile policy - command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password + - name: check and compile policy + command: checkmodule -M -m -o {{ ssh_custom_selinux_dir }}/ssh_password.mod {{ ssh_custom_selinux_dir }}/ssh_password - - name: create selinux policy module package - command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod + - name: create selinux policy module package + command: semodule_package -o {{ ssh_custom_selinux_dir }}/ssh_password.pp -m {{ ssh_custom_selinux_dir }}/ssh_password.mod - - name: install selinux policy - command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp + - name: install selinux policy + command: semodule -i {{ ssh_custom_selinux_dir }}/ssh_password.pp - when: not ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') != 0 -# The following tasks only get executed when selinux is installed, UsePam is 'yes' and the ssh_password module is installed. -# See http://danwalsh.livejournal.com/12333.html for more info +# The following tasks only get executed when selinux is installed, UsePam is +# 'yes' and the ssh_password module is installed. See +# http://danwalsh.livejournal.com/12333.html for more info - name: remove selinux-policy when Pam is used, because Allowing sshd to read the shadow file directly is considered a potential security risk command: semodule -r ssh_password - when: ssh_use_pam | bool and ssh_password_module.stdout.find('ssh_password') == 0 + when: + - ssh_use_pam | bool + - ('ssh_password' in ssh_password_module.stdout) diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2 index 01ef844..be83791 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/authorized_principals.j2 @@ -1,4 +1,4 @@ -# {{ansible_managed|comment}} +{{ ansible_managed | comment }} {% for principal in item.principals %} {{ principal }} diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 index 106b887..c26957e 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/openssh.conf.j2 @@ -1,9 +1,10 @@ -# {{ansible_managed|comment}} +#jinja2: trim_blocks: "true", lstrip_blocks: "true" +{{ ansible_managed | comment }} # This is the ssh client system-wide configuration file. # See ssh_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. -{% if ssh_custom_options -%} +{% if ssh_custom_options %} # Custom configuration that overwrites default configuration # ========================================================== {% for line in ssh_custom_options %} @@ -17,14 +18,14 @@ # Address family should always be limited to the active network configuration. AddressFamily {{ 'any' if network_ipv6_enable else 'inet' }} -{% for host in ssh_remote_hosts -%} +{% for host in ssh_remote_hosts %} {% if loop.first %} # Host-specific configuration {% endif %} Host {{ host.names | join(' ') }} - {{ host.options | join("\n") | indent(2) }} + {{ host.options | join('\n') | indent(2) }} -{% endfor -%} +{% endfor %} # Global defaults for all Hosts Host * @@ -60,16 +61,16 @@ StrictHostKeyChecking ask # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # -{# This outputs "Ciphers " if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #} -{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }} +{# This outputs 'Ciphers ' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined #} +{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }} # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary. # Weak HMAC is sometimes required if older package versions are used # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. # -{# This outputs "MACs " if ssh_macs is defined or "#MACs" if ssh_macs is undefined #} -{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }} +{# This outputs 'MACs ' if ssh_macs is defined or '#MACs' if ssh_macs is undefined #} +{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }} # Alternative setting, if OpenSSH version is below v5.9 #MACs hmac-ripemd160 @@ -79,8 +80,8 @@ StrictHostKeyChecking ask # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf -{# This outputs "KexAlgorithms " if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #} -{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }} +{# This outputs 'KexAlgorithms ' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #} +{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }} # Disable agent forwarding, since local agent could be accessed through forwarded connection. ForwardAgent no @@ -113,8 +114,7 @@ PermitLocalCommand no # Misc. configuration # =================== -# Enable compression. More pressure on the CPU, less on the network. -Compression yes +Compression {{ 'yes' if (ssh_client_compression|bool) else 'no' }} #EscapeChar ~ #VisualHostKey yes diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 index 0a60174..eb681c2 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/opensshd.conf.j2 @@ -1,12 +1,13 @@ -# {{ansible_managed|comment}} +#jinja2: trim_blocks: "true", lstrip_blocks: "true" +{{ ansible_managed | comment }} # This is the ssh client system-wide configuration file. # See sshd_config(5) for more information on any settings used. Comments will be added only to clarify why a configuration was chosen. -{% if sshd_custom_options -%} +{% if sshd_custom_options %} # Custom configuration that overwrites default configuration # ========================================================== -{% for line in sshd_custom_options -%} +{% for line in sshd_custom_options %} {{ line }} {% endfor %} {% endif %} @@ -18,26 +19,26 @@ PermitRootLogin {{ ssh_permit_root_login }} # Define which port sshd should listen to. Default to `22`. -{% for port in ssh_server_ports -%} -Port {{port}} +{% for port in ssh_server_ports %} +Port {{ port }} {% endfor %} # Address family should always be limited to the active network configuration. AddressFamily {{ 'any' if (network_ipv6_enable|bool) else 'inet' }} # Define which addresses sshd should listen to. Default to `0.0.0.0`, ie make sure you put your desired address in here, since otherwise sshd will listen to everyone. -{% for address in ssh_listen_to -%} -ListenAddress {{address}} +{% for address in ssh_listen_to %} +ListenAddress {{ address }} {% endfor %} # List HostKeys here. -{% for key in ssh_host_key_files -%} -HostKey {{key}} +{% for key in ssh_host_key_files %} +HostKey {{ key }} {% endfor %} # Specifies the host key algorithms that the server offers. {% if sshd_version is version('5.8', '>=') %} -{{ "HostKeyAlgorithms "+ssh_host_key_algorithms| join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }} +{{ "HostKeyAlgorithms " ~ ssh_host_key_algorithms|join(',') if ssh_host_key_algorithms else "HostKeyAlgorithms"|comment }} {% endif %} # Security configuration @@ -62,16 +63,16 @@ LogLevel {{ sshd_log_level }} # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html) # -{# This outputs "Ciphers " if ssh_ciphers is defined or "#Ciphers" if ssh_ciphers is undefined #} -{{ "Ciphers "+ssh_ciphers| join(',') if ssh_ciphers else "Ciphers"|comment }} +{# This outputs 'Ciphers ' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined #} +{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }} # **Hash algorithms** -- Make sure not to use SHA1 for hashing, unless it is really necessary. # Weak HMAC is sometimes required if older package versions are used # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case. # -{# This outputs "MACs " if ssh_macs is defined or "#MACs" if ssh_macs is undefined #} -{{ "MACs "+ssh_macs| join(',') if ssh_macs else "MACs"|comment }} +{# This outputs 'MACs ' if ssh_macs is defined or '#MACs' if ssh_macs is undefined #} +{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }} # Alternative setting, if OpenSSH version is below v5.9 #MACs hmac-ripemd160 @@ -81,8 +82,8 @@ LogLevel {{ sshd_log_level }} # eg ruby's Net::SSH at around 2.2.* doesn't support sha2 for kex, so this will have to be set true in this case. # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf -{# This outputs "KexAlgorithms " if ssh_kex is defined or "#KexAlgorithms" if ssh_kex is undefined #} -{{ "KexAlgorithms "+ssh_kex| join(',') if ssh_kex else "KexAlgorithms"|comment }} +{# This outputs 'KexAlgorithms ' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #} +{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }} # Authentication # -------------- @@ -92,13 +93,17 @@ LogLevel {{ sshd_log_level }} UseLogin no {% endif %} {% if sshd_version is version('7.5', '<') %} -UsePrivilegeSeparation {% if (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') -%}{{ssh_ps53}}{% else %}{{ssh_ps59}}{% endif %} +UsePrivilegeSeparation {{ + (ansible_facts.distribution == 'Debian' and ansible_facts.distribution_major_version <= '6') + or (ansible_facts.os_family in ['Oracle Linux', 'RedHat'] and ansible_facts.distribution_major_version <= '6' and not ansible_facts.distribution == 'Amazon') + | ternary(ssh_ps53, ssh_ps59) +}} {% endif %} -LoginGraceTime 30s -MaxAuthTries {{ssh_max_auth_retries}} -MaxSessions 10 -MaxStartups {{ssh_max_startups}} +LoginGraceTime {{ ssh_login_grace_time }} +MaxAuthTries {{ ssh_max_auth_retries }} +MaxSessions {{ ssh_max_sessions }} +MaxStartups {{ ssh_max_startups }} # Enable public key authentication PubkeyAuthentication yes @@ -109,7 +114,7 @@ IgnoreUserKnownHosts yes HostbasedAuthentication no # Enable PAM to enforce system wide rules -{% if ssh_pam_support -%} +{% if ssh_pam_support %} UsePAM {{ 'yes' if (ssh_use_pam|bool) else 'no' }} {% endif %} @@ -124,7 +129,7 @@ PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }} PermitEmptyPasswords no ChallengeResponseAuthentication {{ 'yes' if (ssh_challengeresponseauthentication|bool) else 'no' }} -{% if ssh_kerberos_support -%} +{% if ssh_kerberos_support %} # Only enable Kerberos authentication if it is configured. KerberosAuthentication no KerberosOrLocalPasswd no @@ -137,29 +142,29 @@ GSSAPIAuthentication {{ 'yes' if ssh_gssapi_support else 'no' }} GSSAPICleanupCredentials yes # In case you don't use PAM (`UsePAM no`), you can alternatively restrict users and groups here. For key-based authentication this is not necessary, since all keys must be explicitely enabled. -{% if ssh_deny_users -%} -DenyUsers {{ssh_deny_users}} +{% if ssh_deny_users %} +DenyUsers {{ ssh_deny_users }} {% endif %} -{% if ssh_allow_users -%} -AllowUsers {{ssh_allow_users}} +{% if ssh_allow_users %} +AllowUsers {{ ssh_allow_users }} {% endif %} -{% if ssh_deny_groups -%} -DenyGroups {{ssh_deny_groups}} +{% if ssh_deny_groups %} +DenyGroups {{ ssh_deny_groups }} {% endif %} -{% if ssh_allow_groups -%} -AllowGroups {{ssh_allow_groups}} +{% if ssh_allow_groups %} +AllowGroups {{ ssh_allow_groups }} {% endif %} -{% if ssh_authorized_keys_file -%} +{% if ssh_authorized_keys_file %} AuthorizedKeysFile {{ ssh_authorized_keys_file }} {% endif %} -{% if ssh_trusted_user_ca_keys_file -%} +{% if ssh_trusted_user_ca_keys_file %} TrustedUserCAKeys {{ ssh_trusted_user_ca_keys_file }} -{% if ssh_authorized_principals_file -%} +{% if ssh_authorized_principals_file %} AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }} {% endif %} {% endif %} @@ -171,8 +176,8 @@ AuthorizedPrincipalsFile {{ ssh_authorized_principals_file }} TCPKeepAlive no # Manage `ClientAlive..` signals via interval and maximum count. This will periodically check up to a `..CountMax` number of times within `..Interval` timeframe, and abort the connection once these fail. -ClientAliveInterval {{ssh_client_alive_interval}} -ClientAliveCountMax {{ssh_client_alive_count}} +ClientAliveInterval {{ ssh_client_alive_interval }} +ClientAliveCountMax {{ ssh_client_alive_count }} # Disable tunneling PermitTunnel {{ 'yes' if (ssh_permit_tunnel|bool) else 'no' }} @@ -189,19 +194,19 @@ AllowTcpForwarding {{ ssh_allow_tcp_forwarding if (ssh_allow_tcp_forwarding in ( # no real advantage without denied shell access AllowAgentForwarding {{ 'yes' if (ssh_allow_agent_forwarding|bool) else 'no' }} -{% if ssh_gateway_ports|bool -%} +{% if ssh_gateway_ports|bool %} # Port forwardings are forced to bind to the wildcard address GatewayPorts yes -{% elif ssh_gateway_ports == 'clientspecified' -%} +{% elif ssh_gateway_ports == 'clientspecified' %} # Clients allowed to specify which address to bind port forwardings to GatewayPorts clientspecified -{% else -%} +{% else %} # Do not allow remote port forwardings to bind to non-loopback addresses. GatewayPorts no {% endif %} # Disable X11 forwarding, since local X11 display could be accessed through forwarded connection. -X11Forwarding no +X11Forwarding {{ 'yes' if (ssh_x11_forwarding|bool) else 'no' }} X11UseLocalhost yes # User environment configuration @@ -209,7 +214,7 @@ X11UseLocalhost yes PermitUserEnvironment {{ ssh_server_permit_environment_vars }} -{% if ssh_server_accept_env_vars -%} +{% if ssh_server_accept_env_vars %} AcceptEnv {{ ssh_server_accept_env_vars }} {% endif %} @@ -226,16 +231,16 @@ PrintMotd {{ 'yes' if (ssh_print_motd|bool) else 'no' }} PrintLastLog {{ 'yes' if (ssh_print_last_log|bool) else 'no' }} {% endif %} -Banner {{ '/etc/ssh/banner.txt' if (ssh_banner|bool) else 'none' }} +Banner {{ ssh_banner_path if (ssh_banner|bool) else 'none' }} -{% if ansible_facts.os_family == 'Debian' -%} +{% if ansible_facts.os_family == 'Debian' %} DebianBanner {{ 'yes' if (ssh_print_debian_banner|bool) else 'no' }} {% endif %} # Reject keys that are explicitly blacklisted RevokedKeys /etc/ssh/revoked_keys -{% if sftp_enabled -%} +{% if sftp_enabled %} # SFTP matching configuration # =========================== # Configuration, in case SFTP is used @@ -256,39 +261,51 @@ Match Group sftponly PermitRootLogin no X11Forwarding no {% endif %} +{% if ssh_server_match_address %} -{% if ssh_server_match_address -%} # Address matching configuration # ============================ -{% for item in ssh_server_match_address -%} +{% for item in ssh_server_match_address %} Match Address {{ item.address }} {% for rule in item.rules %} {{ rule | indent(4) }} {% endfor %} {% endfor %} {% endif %} +{% if ssh_server_match_group %} -{% if ssh_server_match_group -%} # Group matching configuration # ============================ -{% for item in ssh_server_match_group -%} +{% for item in ssh_server_match_group %} Match Group {{ item.group }} {% for rule in item.rules %} {{ rule | indent(4) }} {% endfor %} {% endfor %} {% endif %} +{% if ssh_server_match_user %} -{% if ssh_server_match_user -%} # User matching configuration # =========================== -{% for item in ssh_server_match_user -%} +{% for item in ssh_server_match_user %} Match User {{ item.user }} {% for rule in item.rules %} {{ rule | indent(4) }} {% endfor %} {% endfor %} {% endif %} +{% if ssh_server_match_local_port %} + +# LocalPort matching configuration +# ================================ + +{% for item in ssh_server_match_local_port %} +Match LocalPort {{ item.port }} + {% for rule in item.rules %} + {{ rule | indent(4) }} + {% endfor %} +{% endfor %} +{% endif %} diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2 index 7156211..1a7eba6 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/revoked_keys.j2 @@ -1,4 +1,5 @@ -# {{ansible_managed|comment}} +{{ ansible_managed | comment }} + {% for key in ssh_server_revoked_keys %} -{{key}} +{{ key }} {% endfor %} diff --git a/ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2 b/ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2 index e6305dc..bd62ccd 100644 --- a/ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2 +++ b/ansible/roles/dev-sec.ssh-hardening/templates/trusted_user_ca_keys.j2 @@ -1,5 +1,5 @@ -# {{ansible_managed|comment}} +{{ ansible_managed | comment }} -{% for item in ssh_trusted_user_ca_keys %} -{{ item }} +{% for key in ssh_trusted_user_ca_keys %} +{{ key }} {% endfor %} diff --git a/ansible/roles/dev-sec.ssh-hardening/tests/default.yml b/ansible/roles/dev-sec.ssh-hardening/tests/default.yml index 231d09b..bb3b71d 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tests/default.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tests/default.yml @@ -7,25 +7,48 @@ ansible_python_interpreter: /usr/bin/python3 when: ansible_facts.distribution == 'Fedora' - - package: name="{{ packages }}" state=present - vars: - packages: + - yum: + name: - openssh-clients - openssh-server - libselinux-python + state: present + update_cache: true ignore_errors: true - - apt: name="{{packages}}" state=present update_cache=true - vars: - packages: - - "openssh-client" - - "openssh-server" + + - dnf: + name: + - openssh-clients + - openssh-server + - procps-ng + state: present + update_cache: true ignore_errors: true - - file: path="/var/run/sshd" state=directory + + - apt: + name: + - openssh-client + - openssh-server + state: present + update_cache: true + ignore_errors: true + + - file: + path: "/var/run/sshd" + state: directory + + - pacman: + name: + - "openssh" + - "awk" + state: present + update_cache: true + ignore_errors: true + - name: create ssh host keys command: "ssh-keygen -A" - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora" or ansible_facts.distribution == "Amazon" - roles: - ansible-ssh-hardening diff --git a/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml b/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml index b88a6e8..b8a49f1 100644 --- a/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml +++ b/ansible/roles/dev-sec.ssh-hardening/tests/default_custom.yml @@ -7,23 +7,47 @@ ansible_python_interpreter: /usr/bin/python3 when: ansible_facts.distribution == 'Fedora' - - package: name="{{ packages }}" state=present - vars: - packages: + - yum: + name: - openssh-clients - openssh-server - libselinux-python + state: present + update_cache: true ignore_errors: true - - apt: name="{{packages}}" state=present update_cache=true - vars: - packages: - - "openssh-client" - - "openssh-server" + + - dnf: + name: + - openssh-clients + - openssh-server + - procps-ng + state: present + update_cache: true ignore_errors: true - - file: path="/var/run/sshd" state=directory + + - apt: + name: + - openssh-client + - openssh-server + state: present + update_cache: true + ignore_errors: true + + - file: + path: "/var/run/sshd" + state: directory + + - pacman: + name: + - "openssh" + - "awk" + state: present + update_cache: true + ignore_errors: true + - name: create ssh host keys command: "ssh-keygen -A" - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or + when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or ansible_facts.distribution == "Fedora" or ansible_facts.distribution == "Amazon" @@ -56,6 +80,9 @@ sftp_enabled: true sftp_chroot: true #ssh_server_enabled: false + ssh_server_ports: + - 22 + - 222 ssh_server_match_address: - address: '192.168.1.1/24' rules: @@ -71,6 +98,11 @@ rules: - 'AllowTcpForwarding yes' - 'AllowAgentForwarding no' + ssh_server_match_local_port: + - port: 222 + rules: + - 'AllowTcpForwarding yes' + - 'AllowAgentForwarding no' ssh_remote_hosts: - names: ['example.com', 'example2.com'] options: ['Port 2222', 'ForwardAgent yes'] diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml new file mode 100644 index 0000000..5de26a2 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Archlinux.yml @@ -0,0 +1,10 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' +sshd_service_name: sshd +ssh_owner: root +ssh_group: root + +# CRYPTO_POLICY is not supported on Archlinux +# and the package check only works in Ansible >2.10 +sshd_disable_crypto_policy: false diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml index df491f3..062c204 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Debian.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: ssh ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml index b42c9c2..7655866 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Fedora.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml b/ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml index 173b78a..4a69f24 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/FreeBSD.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml b/ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml index 8e3c804..546ce77 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/OpenBSD.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: wheel diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml b/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml index 5694cea..36f0ee0 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/Oracle Linux.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml index 5694cea..36f0ee0 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml index b42c9c2..7655866 100644 --- a/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml +++ b/ansible/roles/dev-sec.ssh-hardening/vars/RedHat_8.yml @@ -1,3 +1,6 @@ +--- +sshd_path: /usr/sbin/sshd +ssh_host_keys_dir: '/etc/ssh' sshd_service_name: sshd ssh_owner: root ssh_group: root diff --git a/ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml b/ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml new file mode 100644 index 0000000..ef38877 --- /dev/null +++ b/ansible/roles/dev-sec.ssh-hardening/vars/SmartOS.yml @@ -0,0 +1,8 @@ +--- +sshd_path: /usr/lib/ssh/sshd +ssh_host_keys_dir: '/var/ssh' +sshd_service_name: ssh +ssh_owner: root +ssh_group: root + +ssh_pam_support: false diff --git a/ansible/roles/geerlingguy.docker/.ansible-lint b/ansible/roles/geerlingguy.docker/.ansible-lint index 4778564..affe64f 100644 --- a/ansible/roles/geerlingguy.docker/.ansible-lint +++ b/ansible/roles/geerlingguy.docker/.ansible-lint @@ -1,2 +1,3 @@ skip_list: - '306' + - '106' diff --git a/ansible/roles/geerlingguy.docker/.github/stale.yml b/ansible/roles/geerlingguy.docker/.github/stale.yml index c7ff127..3ac21f9 100644 --- a/ansible/roles/geerlingguy.docker/.github/stale.yml +++ b/ansible/roles/geerlingguy.docker/.github/stale.yml @@ -1,5 +1,5 @@ # Configuration for probot-stale - https://github.com/probot/stale - +--- # Number of days of inactivity before an Issue or Pull Request becomes stale daysUntilStale: 90 diff --git a/ansible/roles/geerlingguy.docker/.github/workflows/ci.yml b/ansible/roles/geerlingguy.docker/.github/workflows/ci.yml new file mode 100644 index 0000000..42b7a1d --- /dev/null +++ b/ansible/roles/geerlingguy.docker/.github/workflows/ci.yml @@ -0,0 +1,72 @@ +--- +name: CI +'on': + pull_request: + push: + branches: + - master + schedule: + - cron: "0 7 * * 0" + +defaults: + run: + working-directory: 'geerlingguy.docker' + +jobs: + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install yamllint ansible-lint + + - name: Lint code. + run: | + yamllint . + ansible-lint + + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + distro: + - centos8 + - centos7 + - ubuntu2004 + - ubuntu1804 + - debian10 + - debian9 + - fedora31 + + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install test dependencies. + run: pip3 install ansible molecule[docker] docker + + - name: Run Molecule tests. + run: molecule test + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + MOLECULE_DISTRO: ${{ matrix.distro }} diff --git a/ansible/roles/geerlingguy.docker/.github/workflows/release.yml b/ansible/roles/geerlingguy.docker/.github/workflows/release.yml new file mode 100644 index 0000000..5d02a3e --- /dev/null +++ b/ansible/roles/geerlingguy.docker/.github/workflows/release.yml @@ -0,0 +1,38 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +'on': + push: + tags: + - '*' + +defaults: + run: + working-directory: 'geerlingguy.docker' + +jobs: + + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'geerlingguy.docker' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-base + + - name: Trigger a new import on Galaxy. + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/ansible/roles/geerlingguy.docker/.travis.yml b/ansible/roles/geerlingguy.docker/.travis.yml deleted file mode 100644 index a0001c3..0000000 --- a/ansible/roles/geerlingguy.docker/.travis.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -language: python -services: docker - -env: - global: - - ROLE_NAME: docker - matrix: - - MOLECULE_DISTRO: centos8 - - MOLECULE_DISTRO: centos7 - - MOLECULE_DISTRO: ubuntu1804 - - MOLECULE_DISTRO: ubuntu1604 - - MOLECULE_DISTRO: debian10 - - MOLECULE_DISTRO: debian9 - -install: - # Install test dependencies. - - pip install molecule yamllint ansible-lint docker - -before_script: - # Use actual Ansible Galaxy role name for the project directory. - - cd ../ - - mv ansible-role-$ROLE_NAME geerlingguy.$ROLE_NAME - - cd geerlingguy.$ROLE_NAME - -script: - # Run tests. - - molecule test - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/geerlingguy.docker/.yamllint b/ansible/roles/geerlingguy.docker/.yamllint index 7aeec5a..e6fc538 100644 --- a/ansible/roles/geerlingguy.docker/.yamllint +++ b/ansible/roles/geerlingguy.docker/.yamllint @@ -1,6 +1,11 @@ --- extends: default + rules: line-length: max: 200 level: warning + +ignore: | + .github/stale.yml + .travis.yml diff --git a/ansible/roles/geerlingguy.docker/README.md b/ansible/roles/geerlingguy.docker/README.md index 036b560..3090374 100644 --- a/ansible/roles/geerlingguy.docker/README.md +++ b/ansible/roles/geerlingguy.docker/README.md @@ -1,6 +1,6 @@ # Ansible Role: Docker -[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-docker.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-docker) +[![CI](https://github.com/geerlingguy/ansible-role-docker/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-docker/actions?query=workflow%3ACI) An Ansible Role that installs [Docker](https://www.docker.com) on Linux. @@ -28,7 +28,7 @@ You can control whether the package is installed, uninstalled, or at the latest Variables to control the state of the `docker` service, and whether it should start on boot. If you're installing Docker inside a Docker container without systemd or sysvinit, you should set these to `stopped` and set the enabled variable to `no`. docker_install_compose: true - docker_compose_version: "1.25.4" + docker_compose_version: "1.26.0" docker_compose_path: /usr/local/bin/docker-compose Docker Compose installation options. @@ -39,17 +39,17 @@ Docker Compose installation options. docker_apt_ignore_key_error: True docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg -(Used only for Debian/Ubuntu.) You can switch the channel to `edge` if you want to use the Edge release. +(Used only for Debian/Ubuntu.) You can switch the channel to `nightly` if you want to use the Nightly release. You can change `docker_apt_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. Usually in combination with changing `docker_apt_repository` as well. docker_yum_repo_url: https://download.docker.com/linux/centos/docker-{{ docker_edition }}.repo - docker_yum_repo_enable_edge: '0' + docker_yum_repo_enable_nightly: '0' docker_yum_repo_enable_test: '0' docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg -(Used only for RedHat/CentOS.) You can enable the Edge or Test repo by setting the respective vars to `1`. +(Used only for RedHat/CentOS.) You can enable the Nightly or Test repo by setting the respective vars to `1`. You can change `docker_yum_gpg_key` to a different url if you are behind a firewall or provide a trustworthy mirror. Usually in combination with changing `docker_yum_repository` as well. diff --git a/ansible/roles/geerlingguy.docker/defaults/main.yml b/ansible/roles/geerlingguy.docker/defaults/main.yml index ba5ba8a..8d66047 100644 --- a/ansible/roles/geerlingguy.docker/defaults/main.yml +++ b/ansible/roles/geerlingguy.docker/defaults/main.yml @@ -11,10 +11,10 @@ docker_restart_handler_state: restarted # Docker Compose options. docker_install_compose: true -docker_compose_version: "1.25.4" +docker_compose_version: "1.26.0" docker_compose_path: /usr/local/bin/docker-compose -# Used only for Debian/Ubuntu. Switch 'stable' to 'edge' if needed. +# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed. docker_apt_release_channel: stable docker_apt_arch: amd64 docker_apt_repository: "deb [arch={{ docker_apt_arch }}] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" @@ -23,7 +23,7 @@ docker_apt_gpg_key: https://download.docker.com/linux/{{ ansible_distribution | # Used only for RedHat/CentOS/Fedora. docker_yum_repo_url: https://download.docker.com/linux/{{ (ansible_distribution == "Fedora") | ternary("fedora","centos") }}/docker-{{ docker_edition }}.repo -docker_yum_repo_enable_edge: '0' +docker_yum_repo_enable_nightly: '0' docker_yum_repo_enable_test: '0' docker_yum_gpg_key: https://download.docker.com/linux/centos/gpg diff --git a/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info b/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info index 412c30a..05272c2 100644 --- a/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info +++ b/ansible/roles/geerlingguy.docker/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:32:50 2020 -version: 2.7.0 +install_date: Sat Feb 20 13:56:42 2021 +version: 3.0.0 diff --git a/ansible/roles/geerlingguy.docker/meta/main.yml b/ansible/roles/geerlingguy.docker/meta/main.yml index 82065cd..fc01727 100644 --- a/ansible/roles/geerlingguy.docker/meta/main.yml +++ b/ansible/roles/geerlingguy.docker/meta/main.yml @@ -2,6 +2,7 @@ dependencies: [] galaxy_info: + role_name: docker author: geerlingguy description: Docker for Linux. company: "Midwestern Mac, LLC" @@ -23,6 +24,7 @@ galaxy_info: versions: - xenial - bionic + - focal galaxy_tags: - web - system diff --git a/ansible/roles/geerlingguy.docker/molecule/default/converge.yml b/ansible/roles/geerlingguy.docker/molecule/default/converge.yml index dad331d..629095b 100644 --- a/ansible/roles/geerlingguy.docker/molecule/default/converge.yml +++ b/ansible/roles/geerlingguy.docker/molecule/default/converge.yml @@ -8,5 +8,17 @@ apt: update_cache=yes cache_valid_time=600 when: ansible_os_family == 'Debian' + - name: Wait for systemd to complete initialization. # noqa 303 + command: systemctl is-system-running + register: systemctl_status + until: > + 'running' in systemctl_status.stdout or + 'degraded' in systemctl_status.stdout + retries: 30 + delay: 5 + when: ansible_service_mgr == 'systemd' + changed_when: false + failed_when: systemctl_status.rc > 1 + roles: - role: geerlingguy.docker diff --git a/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml b/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml index 2da47dd..7490710 100644 --- a/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml +++ b/ansible/roles/geerlingguy.docker/molecule/default/molecule.yml @@ -3,10 +3,6 @@ dependency: name: galaxy driver: name: docker -lint: | - set -e - yamllint . - ansible-lint platforms: - name: instance image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest" diff --git a/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml b/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml index 800c0bc..9607238 100644 --- a/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml +++ b/ansible/roles/geerlingguy.docker/tasks/setup-RedHat.yml @@ -20,12 +20,13 @@ group: root mode: 0644 -- name: Configure Docker Edge repo. +- name: Configure Docker Nightly repo. ini_file: dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' - section: 'docker-{{ docker_edition }}-edge' + section: 'docker-{{ docker_edition }}-nightly' option: enabled - value: '{{ docker_yum_repo_enable_edge }}' + value: '{{ docker_yum_repo_enable_nightly }}' + mode: 0644 - name: Configure Docker Test repo. ini_file: @@ -33,9 +34,17 @@ section: 'docker-{{ docker_edition }}-test' option: enabled value: '{{ docker_yum_repo_enable_test }}' + mode: 0644 -- name: Install containerd separately (CentOS 8). - package: - name: https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm - state: present +- name: Configure containerd on RHEL 8. + block: + - name: Ensure container-selinux is installed. + package: + name: container-selinux + state: present + + - name: Ensure containerd.io is installed. + package: + name: containerd.io + state: present when: ansible_distribution_major_version | int == 8 diff --git a/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info b/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info index 86d7774..00c7e15 100644 --- a/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info +++ b/ansible/roles/geerlingguy.nodejs/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 20:27:04 2020 +install_date: Thu Feb 18 15:39:27 2021 version: 5.1.1 diff --git a/ansible/roles/jnv.unattended-upgrades/.ansible-lint b/ansible/roles/jnv.unattended-upgrades/.ansible-lint new file mode 100644 index 0000000..d09fda8 --- /dev/null +++ b/ansible/roles/jnv.unattended-upgrades/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - '503' diff --git a/ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml b/ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml new file mode 100644 index 0000000..35c1fac --- /dev/null +++ b/ansible/roles/jnv.unattended-upgrades/.github/workflows/ansible-linting-check.yml @@ -0,0 +1,17 @@ +name: Ansible Lint check +# visit https://github.com/marketplace/actions/ansible-lint for infos + +on: [push, pull_request] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Lint Ansible Playbook + uses: ansible/ansible-lint-action@master + with: + targets: "." diff --git a/ansible/roles/jnv.unattended-upgrades/README.md b/ansible/roles/jnv.unattended-upgrades/README.md index 978b832..401e6fd 100644 --- a/ansible/roles/jnv.unattended-upgrades/README.md +++ b/ansible/roles/jnv.unattended-upgrades/README.md @@ -46,8 +46,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai * Default: `false` (don't send any e-mail) * `unattended_mail_only_on_error`: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade. * Default: `false` -* `unattended_remove_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade. +* `unattended_remove_unused_dependencies`: do automatic removal of all unused dependencies after the upgrade. * Default: `false` +* `unattended_remove_new_unused_dependencies`: do automatic removal of new unused dependencies after the upgrade. + * Default: `true` * `unattended_automatic_reboot`: Automatically reboot system if any upgraded package requires it, immediately after the upgrade. * Default: `false` * `unattended_automatic_reboot_time`: Automatically reboot system if any upgraded package requires it, at the specific time (_HH:MM_) instead of immediately after the upgrade. @@ -56,6 +58,10 @@ On some hosts you may find that the unattended-upgrade's cronfile `/etc/cron.dai * Default: disabled * `unattended_ignore_apps_require_restart`: unattended-upgrades won't automatically upgrade some critical packages requiring restart after an upgrade (i.e. there is `XB-Upgrade-Requires: app-restart` directive in their debian/control file). With this option set to `true`, unattended-upgrades will upgrade these packages regardless of the directive. * Default: `false` +* `unattended_syslog_enable`: Write events to syslog, which is useful in environments where syslog messages are sent to a central store. + * Default: `false` +* `unattended_syslog_facility`: Write events to the specified syslog facility, or the daemon facility if not specified. Will only have affect if `unattended_syslog_enable` is set to `true`. + * Default: `daemon` * `unattended_verbose`: Define verbosity level of APT for periodic runs. The output will be sent to root. * Possible options: * `0`: no report diff --git a/ansible/roles/jnv.unattended-upgrades/defaults/main.yml b/ansible/roles/jnv.unattended-upgrades/defaults/main.yml index 59fcc69..a62ee01 100644 --- a/ansible/roles/jnv.unattended-upgrades/defaults/main.yml +++ b/ansible/roles/jnv.unattended-upgrades/defaults/main.yml @@ -48,10 +48,14 @@ unattended_mail: false unattended_mail_only_on_error: false #Unattended-Upgrade::Remove-Unused-Dependencies -# Do automatic removal of new unused dependencies after the upgrade +# Do automatic removal of all unused dependencies after the upgrade # (equivalent to apt-get autoremove) unattended_remove_unused_dependencies: false +#Unattended-Upgrade::Remove-New-Unused-Dependencies +# Remove any new unused dependencies after the upgrade +unattended_remove_new_unused_dependencies: true + #Unattended-Upgrade::Automatic-Reboot # Automatically reboot *WITHOUT CONFIRMATION* if a # the file /var/run/reboot-required is found after the upgrade @@ -67,6 +71,17 @@ unattended_automatic_reboot_time: false # I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file unattended_ignore_apps_require_restart: false +#Unattended-Upgrade::SyslogEnable +# Write events to syslog, which is useful in environments where syslog +# messages are sent to a central store. +unattended_syslog_enable: false + +#Unattended-Upgrade::SyslogFacility +# Write events to the specified syslog facility, or the daemon facility if +# not specified. Requires the Unattended-Upgrade::SyslogEnable option to be +# set to true. +#unattended_syslog_facility: "daemon" + ### APT::Periodic configuration # Snatched from /usr/lib/apt/apt.systemd.daily @@ -119,4 +134,4 @@ unattended_dpkg_options: [] # Use apt bandwidth limit feature, this example limits the download speed to 70kb/sec -#unattended_dl_limit: 70 \ No newline at end of file +#unattended_dl_limit: 70 diff --git a/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info b/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info index 0d4a914..73ff3f3 100644 --- a/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info +++ b/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 21:54:44 2020 -version: v1.8.0 +install_date: Sat Feb 20 13:56:45 2021 +version: v1.10.0 diff --git a/ansible/roles/jnv.unattended-upgrades/meta/main.yml b/ansible/roles/jnv.unattended-upgrades/meta/main.yml index 90dcd6d..f7aa9f0 100644 --- a/ansible/roles/jnv.unattended-upgrades/meta/main.yml +++ b/ansible/roles/jnv.unattended-upgrades/meta/main.yml @@ -20,7 +20,7 @@ galaxy_info: # Below are all categories currently available. Just as with # the platforms above, uncomment those that apply to your role. # - categories: + galaxy_tags: #- cloud #- cloud:ec2 #- cloud:gce diff --git a/ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml b/ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml index 64c97ab..2b911fe 100644 --- a/ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml +++ b/ansible/roles/jnv.unattended-upgrades/tasks/unattended-upgrades.yml @@ -10,7 +10,7 @@ apt: pkg: unattended-upgrades state: present - cache_valid_time: "{{unattended_cache_valid_time}}" + cache_valid_time: "{{ unattended_cache_valid_time }}" update_cache: yes - name: install reboot dependencies diff --git a/ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 b/ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 index 388a028..5a64ed5 100644 --- a/ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 +++ b/ansible/roles/jnv.unattended-upgrades/templates/auto-upgrades.j2 @@ -1,3 +1,5 @@ +// {{ ansible_managed }} + APT::Periodic::Unattended-Upgrade "1"; {% if unattended_update_package_list is defined %} diff --git a/ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 b/ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 index 0b0d218..9338c49 100644 --- a/ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 +++ b/ansible/roles/jnv.unattended-upgrades/templates/unattended-upgrades.j2 @@ -1,3 +1,5 @@ +// {{ ansible_managed }} + // Unattended-Upgrade::Origins-Pattern controls which packages are // upgraded. Unattended-Upgrade::Origins-Pattern { @@ -55,11 +57,16 @@ Unattended-Upgrade::MailOnlyOnError "true"; {% endif %} {% if unattended_remove_unused_dependencies %} -// Do automatic removal of new unused dependencies after the upgrade +// Do automatic removal of all unused dependencies after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; {% endif %} +{% if not unattended_remove_new_unused_dependencies %} +// Do automatic removal of new unused dependencies after the upgrade +Unattended-Upgrade::Remove-New-Unused-Dependencies "false"; +{% endif %} + {% if unattended_automatic_reboot %} // Automatically reboot *WITHOUT CONFIRMATION* if a // the file /var/run/reboot-required is found after the upgrade @@ -88,6 +95,18 @@ Unattended-Upgrade::Update-Days {{ unattended_update_days }}; Unattended-Upgrade::IgnoreAppsRequireRestart "true"; {% endif %} +{% if unattended_syslog_enable %} +// Write events to syslog, which is useful in environments where syslog +// messages are sent to a central store. +Unattended-Upgrade::SyslogEnable "{{ unattended_syslog_enable }}"; +{% if unattended_syslog_facility is defined %} +// Write events to the specified syslog facility, or the daemon facility +// if not specified. Requires the Unattended-Upgrade::SyslogEnable option +// to be set to true. +Unattended-Upgrade::SyslogFacility "{{ unattended_syslog_facility }}"; +{% endif %} +{% endif %} + {% if unattended_dpkg_options %} // Append options for governing dpkg behavior, e.g. --force-confdef. Dpkg::Options { diff --git a/ansible/roles/jnv.unattended-upgrades/tests/test.yml b/ansible/roles/jnv.unattended-upgrades/tests/test.yml index 45d5485..d73b9a4 100644 --- a/ansible/roles/jnv.unattended-upgrades/tests/test.yml +++ b/ansible/roles/jnv.unattended-upgrades/tests/test.yml @@ -6,12 +6,15 @@ inventory: - name: ubuntu_latest image: "ubuntu:latest" + - name: ubuntu_bionic + image: "ubuntu:bionic" - name: ubuntu_xenial image: "ubuntu:xenial" - name: ubuntu_trusty image: "ubuntu:trusty" - - name: debian_testing - image: "debian:testing" + # 6/2020: Disabled Debian Testing due to missing python packages (python-apt) + #- name: debian_testing + # image: "debian:testing" - name: debian_stable image: "debian:stable" - name: debian_oldstable @@ -27,10 +30,11 @@ gather_facts: false pre_tasks: - name: Provision Python - raw: bash -c "test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-simplejson)" + raw: bash -c "test -e /usr/bin/python || (apt-get -y update && apt-get install -y python)" register: output changed_when: output.stdout - - setup: # Gather facts + - name: Gather facts + setup: vars: unattended_autofix_interrupted_dpkg: false unattended_minimal_steps: true @@ -45,13 +49,15 @@ include_role: name: ansible-role-unattended-upgrades register: idempotency - - fail: + - name: fail when idempotency.changed + fail: msg: Role failed idempotency check when: idempotency.changed - name: Get apt-config variables - shell: apt-config dump + command: apt-config dump register: aptconfig + changed_when: false - name: Check for registered variables assert: that: item in aptconfig.stdout @@ -68,3 +74,4 @@ - name: Dry run unattended-upgrades command: /usr/bin/unattended-upgrades --dry-run + changed_when: idempotency.changed|bool diff --git a/ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md b/ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md index 5d86399..7a63863 100644 --- a/ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md +++ b/ansible/roles/nginxinc.nginx/.github/ISSUE_TEMPLATE/bug_report.md @@ -20,9 +20,9 @@ Steps to reproduce the behavior: A clear and concise description of what you expected to happen. **Your environment:** - - Version of the NGINX Role or specific commit - - Version of Ansible - - Target deployment platform +- Version of the NGINX role or specific commit +- Version of Ansible +- Target deployment platform **Additional context** Add any other context about the problem here. diff --git a/ansible/roles/nginxinc.nginx/.github/pull_request_template.md b/ansible/roles/nginxinc.nginx/.github/pull_request_template.md index d2cf8ae..f07653a 100644 --- a/ansible/roles/nginxinc.nginx/.github/pull_request_template.md +++ b/ansible/roles/nginxinc.nginx/.github/pull_request_template.md @@ -1,10 +1,10 @@ ### Proposed changes -Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue here in this description (not in the title of the PR). +Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) here in this description (not in the title of the PR). ### Checklist Before creating a PR, run through this checklist and mark each as complete. -- [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/ansible-role-nginx/blob/master/CONTRIBUTING.md) document +- [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/ansible-role-nginx/blob/main/CONTRIBUTING.md) document - [ ] I have added Molecule tests that prove my fix is effective or that my feature works -- [ ] I have checked that all unit tests pass after adding my changes -- [ ] If required, I have updated necessary documentation (`defaults/main/` and `README.md`) +- [ ] I have checked that all Molecule tests pass after adding my changes +- [ ] I have updated any relevant documentation (`defaults/main/*.yml`, `README.md` and `CHANGELOG.md`) diff --git a/ansible/roles/nginxinc.nginx/.github/workflows/galaxy.yml b/ansible/roles/nginxinc.nginx/.github/workflows/galaxy.yml new file mode 100644 index 0000000..a5f714a --- /dev/null +++ b/ansible/roles/nginxinc.nginx/.github/workflows/galaxy.yml @@ -0,0 +1,22 @@ +--- +name: Ansible Galaxy import +on: + release: +jobs: + galaxy: + name: Galaxy + runs-on: ubuntu-latest + steps: + - name: Check out the codebase + uses: actions/checkout@v2 + + - name: Set up Python 3 + uses: actions/setup-python@v2 + with: + python-version: 3.x + + - name: Install Ansible + run: pip3 install ansible-base==2.10.3 + + - name: Import release to Ansible Galaxy + run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/ansible/roles/nginxinc.nginx/.github/workflows/molecule.yml b/ansible/roles/nginxinc.nginx/.github/workflows/molecule.yml new file mode 100644 index 0000000..2207a3c --- /dev/null +++ b/ansible/roles/nginxinc.nginx/.github/workflows/molecule.yml @@ -0,0 +1,61 @@ +--- +name: Molecule CI/CD +on: + pull_request: + branches: + - main + push: + branches: + - main + ignore-tags: + - "*" + schedule: + - cron: "0 0 1 * *" +jobs: + molecule: + name: Molecule + runs-on: ubuntu-latest + strategy: + matrix: + scenario: + - default + - default_alpine + - default_centos + - module + - module_alpine + - module_centos + - plus + - plus_alpine + - plus_centos + - source + - source_alpine + - source_centos + steps: + - name: Check out the codebase + if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" + uses: actions/checkout@v2 + + - name: Set up Python 3 + if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" + uses: actions/setup-python@v2 + with: + python-version: 3.x + + - name: Install Molecule dependencies + if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" + run: | + pip3 install ansible-base==2.10.4 + pip3 install ansible==2.10.5 + pip3 install ansible-lint==4.3.7 + pip3 install yamllint==1.25.0 + pip3 install "molecule[docker]"==3.2.2 + pip3 install docker==4.4.1 + + - name: Run Molecule tests + if: "!(contains(matrix.scenario, 'plus') && github.event.pull_request.head.repo.full_name != github.repository)" + run: molecule test -s ${{ matrix.scenario }} + env: + PY_COLORS: "1" + ANSIBLE_FORCE_COLOR: "1" + NGINX_CRT: ${{ secrets.NGINX_CRT }} + NGINX_KEY: ${{ secrets.NGINX_KEY }} diff --git a/ansible/roles/nginxinc.nginx/.gitignore b/ansible/roles/nginxinc.nginx/.gitignore index 489ae98..a11ae27 100644 --- a/ansible/roles/nginxinc.nginx/.gitignore +++ b/ansible/roles/nginxinc.nginx/.gitignore @@ -2,14 +2,19 @@ ############################ *.crt *.key -__pycache__ *~ \#* -# OS Specific +# OS Specific # +############### Thumbs.db .DS_Store .vscode -# Ansible specific -*.retry \ No newline at end of file +# Ansible specific # +#################### +*.retry + +# Python specific # +################### +__pycache__ diff --git a/ansible/roles/nginxinc.nginx/.travis.yml b/ansible/roles/nginxinc.nginx/.travis.yml deleted file mode 100644 index 3a3dfd5..0000000 --- a/ansible/roles/nginxinc.nginx/.travis.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -language: python -services: - - docker -jobs: - include: - - name: "Install Specific Version Test - Debian" - env: scenario=default - - name: "Install Specific Version Test - Alpine" - env: scenario=default_alpine - - name: "Install Specific Version Test - CentOS" - env: scenario=default_centos - - name: "Install Modules Test - Debian" - env: scenario=module - - name: "Install Modules Test - Alpine" - env: scenario=module_alpine - - name: "Install Modules Test - CentOS" - env: scenario=module_centos - - name: "Install Stable Branch and Push Configuration Test - Debian" - env: scenario=stable_push - - name: "Install Stable Branch and Push Configuration Test - Alpine" - env: scenario=stable_push_alpine - - name: "Install Stable Branch and Push Configuration Test - CentOS" - env: scenario=stable_push_centos - - name: "Use Template Setting Test - Debian" - env: scenario=template - - name: "Use Template Setting Test - Alpine" - env: scenario=template_alpine - - name: "Use Template Setting Test - CentOS" - env: scenario=template_centos - - name: "Install Unit Test - Debian" - env: scenario=unit - - name: "Install Unit Test - Alpine" - env: scenario=unit_alpine - - name: "Install Unit Test - CentOS" - env: scenario=unit_centos - - name: "Install from Source Test - Debian" - env: scenario=source - - name: "Install from Source Test - Alpine" - env: scenario=source_alpine - - name: "Install from Source Test - CentOS" - env: scenario=source_centos -before_install: - - sudo apt-get -qq update -install: - - pip install ansible==2.9.6 - - pip install molecule[docker]>=3.0.0 - - pip install testinfra - - pip install ansible-lint - - pip install flake8 -script: - - molecule --version - - ansible --version - - travis_wait 50 molecule test -s $scenario -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/ansible/roles/nginxinc.nginx/CHANGELOG.md b/ansible/roles/nginxinc.nginx/CHANGELOG.md new file mode 100644 index 0000000..599543e --- /dev/null +++ b/ansible/roles/nginxinc.nginx/CHANGELOG.md @@ -0,0 +1,400 @@ +# Changelog + +## 0.19.1 (January 11, 2021) + +ENHANCEMENTS: + +* The GitHub actions Molecule CI/CD workflow should now correctly avoid running 'plus' related tests on external PRs. +* Update Ansible base to `2.10.4`, Ansible to `2.10.5`, Molecule to `3.2.2` and Docker Python SDK to `4.4.1`. +* Update copyright notice. + +## 0.19.0 (December 23, 2020) + +BREAKING CHANGES: + +**The NGINX configuration functionalities included in this role have been removed as of release 0.19.0.** There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX configuration Ansible role repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. + +ENHANCEMENTS: + +The GitHub actions Molecule CI/CD workflow is no longer run on a new release (this is not necessary since it already runs on every push). + +## 0.18.2 (December 22, 2020) + +ENHANCEMENTS: + +* Update Molecule to `3.2.1` and Docker Python SDK to `4.4.0`. +* Add Alpine `3.12` to supported platforms for NGINX Plus. +* Remove Alpine `3.9` and CentOS/RHEL `6` from supported platforms due to EOL. +* Replace TravisCI with GitHub actions. + +## 0.18.1 (November 17, 2020) + +ENHANCEMENTS: + +Switch NGINX keysites and OSS default repository data from a dictionary to individual variables to prevent potential issues arisen from Jinja2 dictionary run-time evaluations. + +BUG FIXES: + +Fix issue whereas SELinux state would not be correctly set back to `enforcing` when `nginx_selinux: true`. + +## 0.18.0 (November 13, 2020) + +BREAKING CHANGES: + +**The NGINX Unit functionalities included in this role have been removed as of release 0.18.0.** There now is a separate role to install NGINX Unit available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit Ansible role repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. + +## 0.17.4 (November 12, 2020) + +ENHANCEMENTS: + +Implement a new syntax to specify modules to be installed. You can now use the following format if you want further fine grained control over how you install modules: +```yaml +- name: njs # Required + state: present # Optional + version: =1.19.4+0.4.4-1~bionic # Optional +``` +The old method of specifying modules (using a list of names) still works as expected. + +## 0.17.3 (November 9, 2020) + +ENHANCEMENTS: + +* Add survey to README. +* Improve README structure and use tables where relevant. +* Update Ansible (now Ansible base) to `2.10.3`, Ansible (now Ansible Community Distribution) to `2.10.3`, Ansible Lint to `4.3.7`, Molecule to `3.1.5`, and yamllint to `1.25.0`. +* Optimize NGINX Plus install/remove tasks. + +BUG FIXES: + +* Prevent TravisCI from trying to build (and failing) NGINX Plus images on external PRs. +* Fix naming for SELinux facts dictionary. +* Role now runs correctly when using Ansible's check mode. +* Removing the NGINX Plus license in RHEL based distros should no longer return a repository not found error. +* Fix issue when removing NGINX Plus license on some distributions. +* Fix Amazon Linux NGINX Plus install while at it. + +## 0.17.2 (September 24, 2020) + +BUG FIXES: + +Fix an issue where sometimes the role handlers will fail in distros where NGINX is not started upon installation. + +## 0.17.1 (September 22, 2020) + +ENHANCEMENTS: + +* The role will no longer fail automatically on unsupported platforms, but the error message will still be displayed. +* The `Check NGINX` handler now always outputs an `ok` state instead of `changed` since it's a read-only operation with no traceable changes. + +## 0.17.0 (September 20, 2020) + +BREAKING CHANGES: + +* The process to install modules has changed. You will now have to use a list variable, `nginx_modules`, instead of manually setting the modules you want to install to `true` or `false`. This change will also simplify adding future supported modules to this role. You can find a list of supported modules for NGINX and NGINX Plus in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml). +* Modules can no longer be added to your NGINX config using this role. Please use the [`nginx_config`](https://github.com/nginxinc/ansible-role-nginx-config) role instead. +* Changed `nginx_configure` default value from `true` to `false` to further promote the adoption of the [NGINX config](https://github.com/nginxinc/ansible-role-nginx-config) role. + +FEATURES: + +* A new variable has been introduced: + * `nginx_setup_license` -- Determine whether you want to use this role to upload your NGINX license to your target host. +* The role will now fail automatically if you try to deploy NGINX from an official repository in an unsupported distribution. You can find a list of supported distributions for NGINX and NGINX Plus in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml) +* Three new tags have been introduced -- `nginx_setup_license`, `nginx_install` and `nginx_check_support`. +* Add Alpine 3.12 to the list of supported platforms. +* Remove Alpine 3.8 from the list of supported platforms. +* Add NGINX Plus tests to TravisCI + +ENHANCEMENTS: + +* Added handlers to check for NGINX syntax validity and fail if any errors are detected. +* Switch to using `ansible_facts` wherever possible. +* Major backend refactoring to reduce the number of files and tasks. +* You can now specify an `nginx_repository` for NGINX Plus too. +* Moved "constant" variables to `vars/main.yml`. +* Included deprecation warnings in task names and files. +* Improved tasks naming conventions. +* Update Ansible to `2.9.13` and Ansible Lint to `4.3.5`. + +BUG FIXES: + +* NGINX Plus repository data for RHEL based distros is now appropriately set. +* Building NGINX from source should now work as expected in CentOS/RHEL 6 systems running Python `2.6` or earlier versions of `2.7`. + +## 0.16.0 (August 28, 2020) + +BREAKING CHANGES: + +The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source. + +ENHANCEMENTS: + +* Update Ansible to `2.9.12` and Ansible Lint to `4.3.2`. +* Explicitly define `mode` in relevant tasks. +* Explicitly define the `nginx` `apt_repository` filename in Debian based distros. + +FEATURES: + +TravisCI now always uses the latest version of Docker. + +BUG FIXES: + +Building OpenSSL from source should now work properly in CentOS 8. + +## 0.15.0 (August 20, 2020) + +DEPRECATION WARNING: + +With the advent of Ansible collections and to reduce the overhead of this role, the decision has been made to split this role into three smaller roles: +* The NGINX Ansible role will keep working as is and be used to install and setup NGINX. +* There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX Config repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. The NGINX configuration functionalities included in this role will be removed in an upcoming release. +* NGINX Unit now has a separate role available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. The NGINX Unit functionalities included in this role will be removed in an upcoming release. + +BREAKING CHANGES: + +* The Debian and Ubuntu repositories have slightly changed. You may run into some duplication issues when running the role on a preexisting target that already has had NGINX installed using the role. To fix this, manually remove the old repository source. +* If you use `custom_options` you will now need to manually end each directive with a semicolon. +* The `status` directive is no longer supported in NGINX Plus, and the `stub_status` directive has been reworked into a template. +* The listen directive structure in the `stream` template has been updated to the listen directive structure found in the `http` template. You can now specify multiple `listen` directives in the same `server` block as well as include any extra `listen` options you might need. + + Old configuration example + ```yaml + listen_address: localhost + listen_port: 80 + udp_enable: false + ``` + + New configuration example + ```yaml + listen: + listen_localhost: + ip: 0.0.0.0 # Wrap in square brackets for IPv6 addresses + port: 80 + ssl: false + opts: [] # Listen opts like udp which will be added (ssl is automatically added if you specify 'ssl:'). + ``` + + The one major change is that instead of using `udp_enable: true` you will now need to use `opts: [udp]` if you wish to enable `udp`. + +FEATURES: + +* Add support to configure logrotate. +* Add support for Ubuntu Focal. +* Add support to configure SELinux. +* Two new variables have been introduced -- `nginx_install` and `nginx_configure` -- to let you choose whether you want to install NGINX, configure NGINX, or both. + +ENHANCEMENTS: + +* Molecule tests using Testinfra have been migrated to use Ansible instead. +* The role now uses `include_tasks` instead of `import_tasks` when possible to speed up the role's execution time. +* Improve configuration cleanup capabilities. You can now remove all `*.conf` files in a given directory, or specify a list of files you wish to delete. +* Improve configuration templating capabilities: + * Add support for unix upstreams. + * Add PID templating option. + * Add support for down parameter in upstreams. + * Add option for custom error pages. + * Add SSL support to `stream` contexts. + +BUG FIXES: + +* `nginx_debug_output` would sometimes fail if NGINX had not been automatically started by the system upon installation. +* If `http_demo_conf` was undefined the web server template interpolation would fail. + +## 0.14.0 (April 22, 2020) + +This is a relatively minor release, but it includes a potential breaking change (hence the version bump). The one major new feature is the ability to install/build NGINX Open Source from source. + +BREAKING CHANGES: + +The NGINX Controller agent can no longer be installed using this role. Please use the Ansible collection linked in the README. + +FEATURES: + +* Install/build NGINX from source options now available. +* Implement NGINX http sub module templating. +* NGINX config is now correctly validated each run. +* SSL Private Key data is hidden when running the role with the `--diff` flag. + +BUG FIXES: + +* The role should no longer sporadically cause apt update to fail in amd64 systems when installing NGINX from an official repository. +* Modules should now correctly install when using a specific NGINX Plus version. + +## 0.13.0 (December 13, 2019) + +BREAKING CHANGES: + +* The new listen templating options are not backwards with the previous listen templating options. Check the `README` or `molecule/template_module/playbook.yml` for examples on how to use the new listen template. +* BSD and Linux NGINX installation tasks have undergone some major changes. As such, you may have to update your playbooks accordingly. + +FEATURES: + +* Improve NGINX http templating: + * Multiple server support in HTTP contexts. + * Header support. + * OCSP stapling. + * Improved proxy settings. + * Logging settings. + * Improved SSL settings. + * Improved authentication settings. + * Max body size support. + * Improved listen templating. +* Switch to Molecule for testing. +* Add support for Debian Buster. +* Support for specifying which version of NGINX to install. +* Split default variables into multiple functional files. +* Improve support for Alpine distributions. +* Support for updating or removing NGINX from your system. +* Implemented tags to support running specific tasks instead of the whole role. + +BUG FIXES: + +* Module installation when using NGINX Plus has been fixed. +* Websockets templating has been reenabled after being accidentally deleted. +* When deleting your NGINX Plus license from the system, the NGINX Plus repository will also be deleted to prevent issues further down the line if you run a repository update since there will not be a license anymore to authenticate into the NGINX Plus repository. + +## 0.12.0 (May 22, 2019) + +FEATURES: + +Improve NGINX http templating - following parameters are now supported: +* Websockets. +* Basic authentication. +* Proxy cache. +* Proxy redirect. +* Proxy timeouts. +* SSL. +* Root (in server context). +* Add basic NGINX stream templating. +* Add support for RHEL 8 and Alpine Linux. + +BUG FIXES: + +Fix module installation tasks. + +## 0.11.0 (Januray 14, 2019) + +FEATURES: + +* Allow setting a custom apt and rpm signing key host. +* Add support for enabling an http to https redirects. +* Add ansible_managed to templates. +* Rename html_app_name to web_server_name. +* Rename load_balancer block to reverse_proxy. +* Allow setting the listen port when using SSL. +* Improve SSL defaults. +* Allow setting http or https server locations in proxy_pass. + +BUG FIXES: + +* Ignore undefined values for autoindex and health check. +* Clarify that the redirect variable refers to a http to https redirect. + +## 0.10.1 (November 26, 2018) + +BUG FIXES: + +Fix HTML template to use correct variable name. + +## 0.10.0 (November 26, 2018) + +FEATURES: + +Improve templating support for health checks, multiple location blocks, and auto indexing. + +BUG FIXES: + +* Fetching the NGINX signing key is now more reliable. +* Fixed HTML templating. + +## 0.9.0 (October 18, 2018) + +FEATURES: + +* Refactor NGINX templating and file uploading. +* Add ability to upload and template HTML files. +* Add ability to upload SSL keys and certificates. + +## 0.8.0 (September 17, 2018) + +FEATURES: + +* Add ability to install NGINX Plus Controller agent. +* Refactor installation of NGINX Amplify agent. +* Rename variables to be prefixed with `nginx_`. + +BUG FIXES: + +Correct spelling of name in `tasks/prerequisites/setup-debian.yml`. + +## 0.7.1 (August 21, 2018) + +FEATURES: + +Add enabled parameter to NGINX and NGINX Unit handlers. + +## 0.7.0 (August 4, 2018) + +FEATURES: + +* Add Amazon Linux 2 support for NGINX Plus. +* Add ability to delete NGINX Plus license after installation. + +BUG FIXES: + +* GeoIP module can now be properly installed. +* Module installation will no longer fail if only one module is specified. + +## 0.6.0 (July 19, 2018) + +FEATURES: + +* Improve NGINX Unit related documentation. +* Add FreeBSD and Amazon Linux 2 support for NGINX Unit. +* Allow users to install NGINX Unit without having to also install NGINX. + +## 0.5.0 (June 28, 2018) + +FEATURES: + +Add support for NGINX Unit. + +## 0.4.0 (May 25, 2018) + +FEATURES: + +* Implement support for FreeBSD. +* Allow users to select the default NGINX repository. + +## 0.3.0 (April 19, 2018) + +FEATURES: + +Improve Travis CI testing strategy. + +BUG FIXES: + +Fix templating and push tasks. + +## 0.2.0 (April 12, 2018) + +FEATURES: + +Add support for all first party NGINX modules. + +BUG FIXES: + +* Role should now work correctly in distros with old versions of Python. +* Rest API configuration will now only be created when rest_api_enable is set to true (an empty file would be created in previous versions if rest_api_enable was set to false). +* Uploading/dynamically generating files should now result in the files being uploaded/created to/in the correct directory. + +## 0.1.0 - Initial release (Januray 26, 2018) + +Initial release of the NGINX Ansible role. Features include: + +* Install NGINX Open Source or NGINX Plus. +* Choose between stable or mainline NGINX Open Source. +* Install NGINX Amplify. +* Install NGINX Javascript, Perl, and ModSecurity WAF NGINX modules. +* Enable the NGINX Plus REST API and dashboard. +* Upload NGINX configuration files. +* Templated NGINX configuration system. diff --git a/ansible/roles/nginxinc.nginx/CONTRIBUTING.md b/ansible/roles/nginxinc.nginx/CONTRIBUTING.md index b71585a..a776a0d 100644 --- a/ansible/roles/nginxinc.nginx/CONTRIBUTING.md +++ b/ansible/roles/nginxinc.nginx/CONTRIBUTING.md @@ -14,25 +14,26 @@ The following is a set of guidelines for contributing to the NGINX Ansible role. * [Git Guidelines](#git-guidelines) * [Ansible Guidelines](#ansible-guidelines) -[Code of Conduct](https://github.com/nginxinc/ansible-role-nginx/blob/master/CODE_OF_CONDUCT.md) +[Code of Conduct](https://github.com/nginxinc/ansible-role-nginx/blob/main/CODE_OF_CONDUCT.md) ## Ask a Question -Please open an Issue on GitHub with the label `question`. +Don't know how something works? Curious if the role can achieve your desired functionality? Please open an Issue on GitHub with the label `question`. ## Getting Started -Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx/blob/master/README.md#Installation) to install Ansible and Molecule and get ready to use the NGINX Ansible role. +Follow our [Installation Guide](https://github.com/nginxinc/ansible-role-nginx/blob/main/README.md#Installation) to install Ansible and Molecule and get ready to use the NGINX Ansible role. ### Project Structure -* The NGINX Ansible role is written in `yaml` and supports open source NGINX, NGINX Plus, NGINX Amplify, and NGINX Unit. -* The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html) - * The main code is found at `tasks/` - * The main variables can be found at `defaults/main/` - * Configuration templates for NGINX can be found at `templates/` +* The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, and NGINX Amplify. +* The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html): + * The main code is found in `tasks/`. + * Variables can be found in `defaults/main/*.yml`. + * "Constant" variables can be found in `vars/main.yml`. + * Configuration templates for NGINX can be found in `templates/`. * [Molecule](https://molecule.readthedocs.io/) tests can be found in `molecule/`. - * CI/CD is done via Travis using `.travis.yml` Deployment yaml files, and Helm files are found at `deployments/` + * CI/CD is done via Travis using `.travis.yml` deployment `yaml` files. ## Contributing @@ -46,27 +47,27 @@ To suggest an enhancement, please create an issue on GitHub with the label `enha ### Open a Pull Request -* Fork the repo, create a branch, submit a PR when your changes are tested and ready for review -* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx/blob/master/.github/PULL_REQUEST_TEMPLATE.md) +* Fork the repo, create a branch, submit a PR when your changes are **tested** (ideally using Molecule) and ready for review. +* Fill in [our pull request template](https://github.com/nginxinc/ansible-role-nginx/blob/main/.github/PULL_REQUEST_TEMPLATE.md). Note: if you’d like to implement a new feature, please consider creating a feature request issue first to start a discussion about the feature. ## Code Guidelines -### Git Guidelines - -* Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR -* Follow the guidelines of writing a good commit message as described here and summarised in the next few points - * In the subject line, use the present tense ("Add feature" not "Added feature") - * In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...") - * Limit the subject line to 72 characters or less - * Reference issues and pull requests liberally after the subject line - * Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`) - ### Ansible Guidelines * Run `molecule lint` over your code to automatically resolve a lot of `yaml` and Ansible style issues. -* Run `molecule test --all` on your code to catch any other issues. +* Run `molecule test --all` on your code before you submit a PR to catch any potential issues. * Follow these guides on some good practices for Ansible: * * + +### Git Guidelines + +* Keep a clean, concise and meaningful git commit history on your branch (within reason), rebasing locally and squashing before submitting a PR. +* Follow the guidelines of writing a good commit message as described here and summarised in the next few points: + * In the subject line, use the present tense ("Add feature" not "Added feature"). + * In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to..."). + * Limit the subject line to 72 characters or less. + * Reference issues and pull requests liberally after the subject line. + * Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`). diff --git a/ansible/roles/nginxinc.nginx/README.md b/ansible/roles/nginxinc.nginx/README.md index 5cc122b..aba5ddf 100644 --- a/ansible/roles/nginxinc.nginx/README.md +++ b/ansible/roles/nginxinc.nginx/README.md @@ -1,414 +1,182 @@ -Ansible NGINX Role -================== - [![Ansible Galaxy](https://img.shields.io/badge/galaxy-nginxinc.nginx-5bbdbf.svg)](https://galaxy.ansible.com/nginxinc/nginx) -[![Build Status](https://travis-ci.org/nginxinc/ansible-role-nginx.svg?branch=master)](https://travis-ci.org/nginxinc/ansible-role-nginx) +[![Molecule CI/CD](https://github.com/nginxinc/ansible-role-nginx/workflows/Molecule%20CI/CD/badge.svg)](https://github.com/nginxinc/ansible-role-nginx/actions) +[![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) -This role installs NGINX Open Source, NGINX Plus, the NGINX Amplify agent, or NGINX Unit on your target host. +# 👾 *Help make the NGINX Ansible role better by participating in our [survey](https://forms.office.com/Pages/ResponsePage.aspx?id=L_093Ttq0UCb4L-DJ9gcUKLQ7uTJaE1PitM_37KR881UM0NCWkY5UlE5MUYyWU1aTUcxV0NRUllJSC4u)!* 👾 + +# Ansible NGINX Role + +This role installs NGINX Open Source, NGINX Plus, or the NGINX Amplify agent on your target host. **Note:** This role is still in active development. There may be unidentified issues and the role variables may change as development continues. -Requirements ------------- +**Deprecation Warnings:** -**Ansible** +With the advent of Ansible collections and the release of the [NGINX Core Ansible collection](https://github.com/nginxinc/ansible-collection-nginx), the decision has been made to split this role into three smaller roles and reduce the overhead of this role: +* The NGINX Ansible role will keep working as is and be used to install and setup NGINX. +* **The NGINX configuration functionalities included in this role have been removed as of release 0.19.0.** There now is a separate role to manage and create NGINX configurations available [here](https://github.com/nginxinc/ansible-role-nginx-config). Any new issues or PRs related to configuring NGINX should be submitted in the new NGINX configuration Ansible role repository. New issues or PRs related to configuring NGINX submitted in this repository will not be worked on. This disclaimer will be removed in a future release. +* **The NGINX Unit functionalities included in this role have been removed as of release 0.18.0.** There now is a separate role to install NGINX Unit available [here](https://github.com/nginxinc/ansible-role-nginx-unit). Any new issues or PRs related to NGINX Unit should be submitted in the new NGINX Unit Ansible role repository. New issues or PRs related to NGINX Unit submitted in this repository will not be worked on. This disclaimer will be removed in a future release. -This role was developed and tested with [maintained](https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#release-status) versions of Ansible. Backwards compatibility is not guaranteed. +## Requirements -Instructions on how to install Ansible can be found in the [Ansible website](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). +### Ansible -**Molecule** +* This role is developed and tested with [maintained](https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#release-status) versions of Ansible. Backwards compatibility is not guaranteed. +* Instructions on how to install Ansible can be found in the [Ansible website](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). -Molecule is used to test the various functionailities of the role. Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html). +### Molecule -Installation ------------- +* Molecule `3.x` is used to test the various functionalities of the role. +* Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html). -**Ansible Galaxy** +## Installation + +### Ansible Galaxy Use `ansible-galaxy install nginxinc.nginx` to install the latest stable release of the role on your system. -**Git** +### Git Use `git clone https://github.com/nginxinc/ansible-role-nginx.git` to pull the latest edge commit of the role from GitHub. -Platforms ---------- +## Platforms -The NGINX Ansible role supports all platforms supported by [NGINX Open Source](https://nginx.org/en/linux_packages.html#mainline), [NGINX Plus](https://www.nginx.com/products/technical-specs/), the [NGINX Amplify agent](https://github.com/nginxinc/nginx-amplify-doc/blob/master/amplify-faq.md#21-what-operating-systems-are-supported), and [NGINX Unit](https://unit.nginx.org/installation/#official-packages): +The NGINX Ansible role supports all platforms supported by [NGINX Open Source](https://nginx.org/en/linux_packages.html), [NGINX Plus](https://docs.nginx.com/nginx/technical-specs/), and the [NGINX Amplify agent](https://github.com/nginxinc/nginx-amplify-doc/blob/master/amplify-faq.md#21-what-operating-systems-are-supported): -**NGINX Open Source** +### NGINX Open Source ```yaml Alpine: - versions: - - 3.8 - - 3.9 - - 3.10 - - 3.11 + - 3.10 + - 3.11 + - 3.12 CentOS: - versions: - - 6 - - 7 - - 8 + - 7.4+ + - 8 Debian: - versions: - - stretch - - buster -FreeBSD: - versions: - - 11.2+ - - 12 -RedHat: - versions: - - 6 - - 7.4+ - - 8 + - stretch + - buster +Red Hat: + - 7.4+ + - 8 SUSE/SLES: - versions: - - 12 - - 15 + - 12 + - 15 Ubuntu: - versions: - - xenial - - bionic + - xenial + - bionic + - eoan + - focal ``` -**NGINX Plus** +### NGINX Plus ```yaml Alpine: - versions: - - 3.8 - - 3.9 - - 3.10 - - 3.11 + - 3.10 + - 3.11 + - 3.12 Amazon Linux: - versions: - - 2018.03 + - 2018.03 Amazon Linux 2: - versions: - - LTS + - any CentOS: - versions: - - 6.5+ - - 7.4+ - - 8 + - 7.4+ + - 8 Debian: - versions: - - stretch - - buster + - stretch + - buster FreeBSD: - versions: - - 11.2+ - - 12 + - 11.2+ + - 12 Oracle Linux: - versions: - - 6.5+ - - 7.4+ -RedHat: - versions: - - 6.5+ - - 7.4+ - - 8 + - 6.5+ + - 7.4+ +Red Hat: + - 7.4+ + - 8 SUSE/SLES: - versions: - - 12 - - 15 + - 12 + - 15 Ubuntu: - versions: - - xenial - - bionic + - xenial + - bionic + - eoan + - focal ``` -**NGINX Amplify Agent** +### NGINX Amplify Agent ```yaml Amazon Linux: - versions: - - 2017.09 + - 2017.09 CentOS: - versions: - - 6 - - 7 + - 7 Debian: - versions: - - jessie - - stretch + - jessie + - stretch +Red Hat: + - 7 Ubuntu: - versions: - - xenial - - bionic -RedHat: - versions: - - 6 - - 7 + - xenial + - bionic + - focal ``` -**NGINX Unit** +**Note:** You can also use this role to compile NGINX Open Source from source, install NGINX Open Source on compatible yet unsupported platforms, or install NGINX Open Source on BSD systems at your own risk. -```yaml -CentOS: - versions: - - 6 - - 7 -RedHat: - versions: - - 6 - - 7 -Debian: - versions: - - jessie - - stretch - - buster -Ubuntu: - versions: - - xenial - - bionic -Amazon Linux: - versions: - - 2018.03 -Amazon Linux 2: - versions: - - 2 -FreeBSD: - versions: - - 10 - - 11 -``` +## Role Variables -Role Variables --------------- +This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/)** folder in the following files: -This role has multiple variables. The descriptions and defaults for all these variables can be found in the directory **`defaults/main`** in the following files: +|Name|Description| +|----|-----------| +|**[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/main.yml)**|NGINX installation variables| +|**[`amplify.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/amplify.yml)**|NGINX Amplify agent installation variables| +|**[`linux.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/linux.yml)**|Linux installation variables| +|**[`bsd.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/bsd.yml)**|BSD installation variables| -- **[defaults/main/main.yml](./defaults/main/main.yml):** NGINX installation variables -- **[defaults/main/amplify.yml](./defaults/main/amplify.yml):** NGINX Amplify agent installation variables -- **[defaults/main/template.yml](./defaults/main/template.yml):** NGINX configuration templating variables -- **[defaults/main/upload.yml](./defaults/main/upload.yml):** NGINX configuration/HTML/SSL upload variables -- **[defaults/main/linux.yml](./defaults/main/linux.yml):** Linux installation variables -- **[defaults/main/bsd.yml](./defaults/main/bsd.yml):** BSD installation variables -- **[defaults/main/unit.yml](./defaults/main/unit.yml):** NGINX Unit installation variables +Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/)** folder in the following files: -Dependencies ------------- +|Name|Description| +|----|-----------| +|**[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml)**|List of supported NGINX platforms and modules| -None +## Example Playbooks -Example Playbook ----------------- +Working functional playbook examples can be found in the **[`molecule/common/playbooks/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/)** folder in the following files: -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX. +|Name|Description| +|----|-----------| +|**[`default_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/default_converge.yml)**|Install a specific version of NGINX and set up logrotate| +|**[`module_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/module_converge.yml)**|Install various NGINX supported modules| +|**[`plus_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/plus_converge.yml)**|Install NGINX Plus and various NGINX Plus supported modules| +|**[`source_converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/common/playbooks/source_converge.yml)**|Install NGINX from source| -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx -``` +Do note that if you install this repository via Ansible Galaxy, you will have to replace the role variable in the sample playbooks from `ansible-role-nginx` to `nginxinc.nginx`. -This is a sample playbook file for deploying the Ansible Galaxy NGINX role to a dynamic inventory containing the `nginx` tag. +## Other NGINX Ansible Collections and Roles -```yaml ---- -- hosts: tag_nginx - remote_user: root - roles: - - role: nginxinc.nginx -``` +You can find the Ansible NGINX Core collection of roles to install and configure NGINX Open Source, NGINX Plus, and NGINX App Protect [here](https://github.com/nginxinc/ansible-collection-nginx). -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX as a simple web server. +You can find the Ansible NGINX configuration role to configure NGINX [here](https://github.com/nginxinc/ansible-role-nginx-config). -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx - vars: - nginx_http_template_enable: true - nginx_http_template: - default: - template_file: http/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - # ip: 0.0.0.0 - port: 80 - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - web_server: - locations: - default: - location: / - html_file_location: /usr/share/nginx/html - html_file_name: index.html - autoindex: false - http_demo_conf: false -``` +You can find the Ansible NGINX App Protect role to install and configure NGINX App Protect [here](https://github.com/nginxinc/ansible-role-nginx-app-protect). -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing the open source version of NGINX as a reverse proxy. +You can find the Ansible NGINX Controller collection of roles to install and configure NGINX Controller [here](https://github.com/nginxinc/ansible-collection-nginx_controller). -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx - vars: - nginx_http_template_enable: true - nginx_http_template: - default: - template_file: http/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - # ip: 0.0.0.0 - port: 80 - opts: - - default_server - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - reverse_proxy: - locations: - frontend: - location: / - proxy_pass: http://frontend_servers - backend: - location: /backend - proxy_pass: http://backend_servers - upstreams: - upstream_1: - name: frontend_servers - lb_method: least_conn - zone_name: frontend - zone_size: 64k - sticky_cookie: false - servers: - frontend_server_1: - address: 0.0.0.0 - port: 8081 - weight: 1 - health_check: max_fails=3 fail_timeout=5s - upstream_2: - name: backend_servers - lb_method: least_conn - zone_name: backend - zone_size: 64k - sticky_cookie: false - servers: - backend_server_1: - address: 0.0.0.0 - port: 8082 - weight: 1 - health_check: max_fails=3 fail_timeout=5s - frontend: - template_file: http/default.conf.j2 - conf_file_name: frontend_default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - ip: 0.0.0.0 - port: 8081 - ssl: false - opts: [] - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - web_server: - locations: - frontend_site: - location: / - proxy_hide_headers: - - X-Powered-By - html_file_location: /usr/share/nginx/html - html_file_name: index.html - autoindex: false - http_demo_conf: false - backend: - template_file: http/default.conf.j2 - conf_file_name: backend_default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - ip: 0.0.0.0 - port: 8082 - ssl: false - opts: [] - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - web_server: - locations: - backend_site: - location: / - html_file_location: /usr/share/nginx/html - html_file_name: index.html - autoindex: false - http_demo_conf: false -``` +You can find the Ansible NGINX Unit role to install NGINX Unit [here](https://github.com/nginxinc/ansible-role-nginx-unit). +## License -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost and installing NGINX Plus. +[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx/blob/main/LICENSE) -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx - vars: - nginx_type: plus -``` - -This is a sample playbook file for deploying the Ansible Galaxy NGINX role in a localhost to install NGINX Unit and the PHP/Perl NGINX Unit language modules. - -```yaml ---- -- hosts: localhost - become: true - roles: - - role: nginxinc.nginx - vars: - nginx_enable: false - nginx_unit_enable: true - nginx_unit_modules: - - unit-php - - unit-perl -``` - -To run any of the above sample playbooks create a `setup-nginx.yml` file and paste the contents. Executing the Ansible Playbook is then as simple as executing `ansible-playbook setup-nginx.yml`. - -Alternatively, you can also clone this repository instead of installing it from Ansible Galaxy. If you decide to do so, replace the role variable in the previous sample playbooks from `nginxinc.nginx` to `ansible-role-nginx`. - -Other NGINX Roles ------------------ - -You can find an Ansible collection of roles to help you install and configure NGINX Controller [here](https://github.com/nginxinc/ansible-collection-nginx_controller) - -License -------- - -[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx/blob/master/LICENSE) - -Author Information ------------------- +## Author Information [Alessandro Fael Garcia](https://github.com/alessfg) [Grzegorz Dzien](https://github.com/gdzien) -© [NGINX, Inc.](https://www.nginx.com/) 2018 - 2020 +[Tom Gamull](https://github.com/magicalyak) + +© [F5 Networks, Inc.](https://www.f5.com/) 2018 - 2021 diff --git a/ansible/roles/nginxinc.nginx/defaults/main/amplify.yml b/ansible/roles/nginxinc.nginx/defaults/main/amplify.yml index 6e041c9..2c6a534 100644 --- a/ansible/roles/nginxinc.nginx/defaults/main/amplify.yml +++ b/ansible/roles/nginxinc.nginx/defaults/main/amplify.yml @@ -1,7 +1,7 @@ --- # Install NGINX Amplify. # Use your NGINX Amplify API key. -# Requires access to either the NGINX stub status or the NGINX Plus REST API. +# Requires access to either the NGINX stub_status or the NGINX Plus REST API. # Default is null. nginx_amplify_enable: false nginx_amplify_api_key: null diff --git a/ansible/roles/nginxinc.nginx/defaults/main/bsd.yml b/ansible/roles/nginxinc.nginx/defaults/main/bsd.yml index 941f3ba..be7c5fb 100644 --- a/ansible/roles/nginxinc.nginx/defaults/main/bsd.yml +++ b/ansible/roles/nginxinc.nginx/defaults/main/bsd.yml @@ -1,26 +1,16 @@ --- -# Supported distributions -nginx_bsd_systems: ['FreeBSD', 'NetBSD', 'OpenBSD', 'DragonFlyBSD', 'HardenedBSD'] - -# Supported distributions NGINX Plus -# https://docs.nginx.com/nginx/technical-specs/ -nginx_plus_bsd_systems: ['FreeBSD'] - # Choose to install BSD packages or ports. -# Options are True for packages or False for ports. -# Default is True. +# Options are true for packages or false for ports. +# Default is true. nginx_bsd_install_packages: true # Choose to update BSD ports collection. -# Options are True for update or False for do not update. -# Default is True. +# Options are true for update or false for do not update. +# Default is true. nginx_bsd_update_ports: true # Choose to install packages built from BSD ports collection if # available. -# Options are True for use packages or False for do not use packages. -# Default is True. +# Options are true for use packages or false for do not use packages. +# Default is true. nginx_bsd_portinstall_use_packages: true - -# FreeBSD extra packages -nginx_freebsd_extra_packages: ['security/ca_root_nss'] diff --git a/ansible/roles/nginxinc.nginx/defaults/main/linux.yml b/ansible/roles/nginxinc.nginx/defaults/main/linux.yml deleted file mode 100644 index 0be7b2f..0000000 --- a/ansible/roles/nginxinc.nginx/defaults/main/linux.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Supported distributions -nginx_linux_families: ['Alpine', 'Debian', 'RedHat', 'Suse'] - -# Supported distributions NGINX Plus -# https://docs.nginx.com/nginx/technical-specs/ -# RedHat={Amazon,CentOS,OracleLinux,RHEL} Debian={Ubuntu,Debian} -nginx_plus_linux_families: ['Alpine', 'Debian', 'RedHat', 'Suse'] - -# Default locations and versions for install from source -pcre_version: pcre-8.43 -zlib_version: zlib-1.2.11 -openssl_version: openssl-1.1.1c diff --git a/ansible/roles/nginxinc.nginx/defaults/main/logrotate.yml b/ansible/roles/nginxinc.nginx/defaults/main/logrotate.yml new file mode 100644 index 0000000..d9f01de --- /dev/null +++ b/ansible/roles/nginxinc.nginx/defaults/main/logrotate.yml @@ -0,0 +1,15 @@ +--- +# Create custom logrotate config +nginx_logrotate_conf_enable: false +nginx_logrotate_conf: + paths: + - "/var/log/nginx/*.log" + options: + - daily + - missingok + - rotate 14 + - compress + - delaycompress + - notifempty + - create 0644 www-data adm # Changes nginx logs permissions + - sharedscripts diff --git a/ansible/roles/nginxinc.nginx/defaults/main/main.yml b/ansible/roles/nginxinc.nginx/defaults/main/main.yml index 7d1dbe6..3d8f7dc 100644 --- a/ansible/roles/nginxinc.nginx/defaults/main/main.yml +++ b/ansible/roles/nginxinc.nginx/defaults/main/main.yml @@ -1,8 +1,13 @@ --- -# Install NGINX. +# Enable NGINX options -- `nginx_install` and `nginx_configure`. # Default is true. nginx_enable: true +# Install NGINX and NGINX modules. +# Variables for these options can be found below. +# Default is true. +nginx_install: true + # Start NGINX service. # Default is true. nginx_start: true @@ -15,14 +20,14 @@ nginx_debug_output: false # Default is 'opensource'. nginx_type: opensource -# Specify which version of NGINX you want to install. -# Default is empty. +# (Optional) Specify which version of NGINX you want to install. +# Default is to install the latest release. # nginx_version: "=19-1~bionic" -# For Plus and modules you'll need a wilcard like below (which installs plus-20 and modules) +# For NGINX Plus and modules you'll need a wilcard like below (which installs plus-20 and modules) # nginx_version: "-20*" # Specify whether you want to maintain your version of NGINX, upgrade to the latest version, or remove NGINX. -# Can be used with `nginx_version` to achieve fine tune control on which version of NGINX is installed/used on each playbook execution. +# Can be used with `nginx_version` to fine tune control on which version of NGINX is installed/used on each playbook execution. # Using 'present' will install the latest version (or 'nginx_version') of NGINX on a fresh install. # Using 'latest' will upgrade NGINX to the latest version (that matches your 'nginx_version') of NGINX on every playbook execution. # Using 'absent' will remove NGINX from your system. @@ -36,27 +41,24 @@ nginx_state: present nginx_install_from: nginx_repository # Specify source install options for NGINX Open Source. -# Options represent whether to install from source also -# or to install from packages (default). These only apply -# if 'nginx_install_from' is set to 'source' -# For the tools, true means we will isntall from a package -# and false means install from source. -# 'nginx_install_source_build_tools' will install compiler -# and build tools from packages. If false, you need to have -# these present. +# Options represent whether to install from source also or to install from packages (default). +# These only apply if 'nginx_install_from' is set to 'source'. +# For the tools, true means we will install from a package and false means install from source. +# 'nginx_install_source_build_tools' will install compiler and build tools from packages. +# If false, you need to have these present. nginx_install_source_build_tools: true nginx_install_source_pcre: false nginx_install_source_openssl: true nginx_install_source_zlib: false -# Choose where to fetch the NGINX signing key from. +# (Optional) Choose where to fetch the NGINX signing key from. # Default is the official NGINX signing key host. # nginx_signing_key: http://nginx.org/keys/nginx_signing.key -# Specify source repository for NGINX Open Source. -# Only works if 'install_from' is set to 'nginx_repository'. +# (Optional) Specify repository for NGINX Open Source or NGINX Plus. +# Only works if 'install_from' is set to 'nginx_repository' when installing NGINX Open Source. # Defaults are the official NGINX repositories. -# nginx_repository: deb https://nginx.org/packages/mainline/debian/ stretch nginx +# nginx_repository: deb [arch=amd64] https://nginx.org/packages/mainline/debian/ buster nginx # Specify which branch of NGINX Open Source you want to install. # Options are 'mainline' or 'stable'. @@ -70,24 +72,37 @@ nginx_license: certificate: license/nginx-repo.crt key: license/nginx-repo.key +# Set up NGINX Plus license before installation. +# Default is true. +nginx_setup_license: true + # Remove NGINX Plus license and repository after installation for security purposes. -# Default is false. -nginx_delete_license: false +# Default is true. +nginx_remove_license: true -# Install NGINX JavaScript, Perl, ModSecurity WAF (NGINX Plus only), GeoIP, Image-Filter, RTMP Media Streaming (NGINX Plus only), and/or XSLT modules. -# Default is false. -nginx_modules: - njs: false - perl: false - waf: false - geoip: false - image_filter: false - rtmp: false - xslt: false - -# Remove previously existing NGINX configuration files. -# Use a list of paths you wish to remove. -# Default is false. -nginx_cleanup_config: false -nginx_cleanup_config_path: - - /etc/nginx/conf.d +# Install NGINX Modules. +# You can select any of the modules listed below. Beware of NGINX Plus only modules (these are marked). +# Format is list with either the module name or a dictionary (see njs for an example). +# When using a dictionary, the default value for state is present, and for version it's nginx_version if specified. +# Default is an empty list (no modules are installed). +nginx_modules: [] + # - auth-spnego # NGINX Plus + # - brotli # NGINX Plus + # - cookie-flag # NGINX Plus + # - encrypted-session # NGINX Plus + # - geoip + # - geoip2 # NGINX Plus + # - headers-more # NGINX Plus + # - image-filter + # - lua # NGINX Plus + # - name: njs # Required + # state: present # Optional + # version: =1.19.4+0.4.4-1~bionic # Optional + # - opentracing # NGINX Plus + # - passenger # NGINX Plus + # - perl # NGINX Plus + # - prometheus # NGINX Plus + # - rtmp + # - subs-filter # NGINX Plus + # - waf # NGINX Plus + # - xslt diff --git a/ansible/roles/nginxinc.nginx/defaults/main/selinux.yml b/ansible/roles/nginxinc.nginx/defaults/main/selinux.yml new file mode 100644 index 0000000..5c6afb5 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/defaults/main/selinux.yml @@ -0,0 +1,15 @@ +--- +# Set SELinux enforcing for NGINX (CentOS/Red Hat only) - you may need to open ports on your own +nginx_selinux: false +# Enable enforcing mode if true. Permissive if false (audit only, no enforcing) globally (only works with nginx_selinux: true) +nginx_selinux_enforcing: true +# List of TCP ports to add to http_port_t type (80 and 443 have this type already) +# nginx_selinux_tcp_ports: +# - 80 +# - 443 +# List of UDP ports to add to http_port_t type +# nginx_selinux_udp_ports: +# - 80 +# - 443 +# Temporary directory to hold selinux modules +nginx_selinux_tempdir: /tmp diff --git a/ansible/roles/nginxinc.nginx/defaults/main/systemd.yml b/ansible/roles/nginxinc.nginx/defaults/main/systemd.yml new file mode 100644 index 0000000..7d9c006 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/defaults/main/systemd.yml @@ -0,0 +1,43 @@ +--- +# Enable systemd modifications +# ** ALL of the following variables are ignored unless this is set to true ** +nginx_service_modify: false + +# Remove the override file completely +nginx_service_clean: false + +# Override the systemd directory +# Default is /etc/systemd/system/nginx.service.d +nginx_service_overridepath: /etc/systemd/system/nginx.service.d + +# Override the systemd filename +# Default is override.conf +nginx_service_overridefilename: override.conf + +# Set service timeout for systemd systems in seconds (default: 90) +# [Service] +# TimeoutStopSec=90 +# Default is to comment this out +# nginx_service_timeoutstopsec: 90 + +# Set the restart policy for systemd systems +# Values = no (default), on-failure, on-abnormal, on-watchdog, on-abort, always +# [Service] +# Restart=on-failure +# Default is to comment this out +# nginx_service_restart: on-failure + +# Set the restart timer in seconds +# [Service] +# RestartSec=5s +# Default is to comment this out +# nginx_service_restartsec: 5s + +# Enable a custom systemd override file +# ** This could break the service ** +# Setting this to true disables custom values above +nginx_service_custom: false + +# Filename and path for systemd override file +# Setting this will overwrite existing override file +nginx_service_custom_file: "{{ role_path }}/files/services/nginx.override.conf" diff --git a/ansible/roles/nginxinc.nginx/defaults/main/template.yml b/ansible/roles/nginxinc.nginx/defaults/main/template.yml deleted file mode 100644 index 1c0afd7..0000000 --- a/ansible/roles/nginxinc.nginx/defaults/main/template.yml +++ /dev/null @@ -1,369 +0,0 @@ ---- -# Enable creating dynamic templated NGINX HTML demo websites. -nginx_html_demo_template_enable: false -nginx_html_demo_template: - default: - template_file: www/index.html.j2 - html_file_name: index.html - html_file_location: /usr/share/nginx/html - web_server_name: Default - -# Enable creating dynamic templated NGINX configuration files. -# Defaults are the values found in a fresh NGINX installation. -nginx_main_template_enable: false -nginx_main_template: - template_file: nginx.conf.j2 - conf_file_name: nginx.conf - conf_file_location: /etc/nginx/ - user: nginx - worker_processes: auto - # worker_rlimit_nofile: 1024 - error_log: - location: /var/log/nginx/error.log - level: warn - worker_connections: 1024 - http_enable: true - http_settings: - access_log_format: - - name: main - format: |- - '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"' - access_log_location: - - name: main - location: /var/log/nginx/access.log - tcp_nopush: true - tcp_nodelay: true - keepalive_timeout: 65 - cache: false - rate_limit: false - keyval: false - # server_tokens: "off" - http_global_autoindex: false - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # http_custom_options: [] - stream_enable: false - # stream_custom_options: [] - # auth_request_http: /auth - # auth_request_set_http: - # name: $auth_user - # value: $upstream_http_x_user - -# Enable creating dynamic templated NGINX HTTP configuration files. -# Defaults will not produce a valid configuration. Instead they are meant to showcase -# the options available for templating. Each key represents a new configuration file. -nginx_http_template_enable: false -nginx_http_template: - default: - template_file: http/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - ip: localhost # Wrap in square brackets for IPv6 addresses - port: 8081 - ssl: true - opts: [] # Listen opts like http2 which will be added (ssl is automatically added if you specify 'ssl:'). - server_name: localhost - include_files: [] - error_page: /usr/share/nginx/html - access_log: - - name: main - location: /var/log/nginx/access.log - error_log: - location: /var/log/nginx/error.log - level: warn - root: /usr/share/nginx/html - # https_redirect: $host - autoindex: false - auth_basic: null - auth_basic_user_file: null - try_files: $uri $uri/index.html $uri.html =404 - # auth_request: /auth - # auth_request_set: - # name: $auth_user - # value: $upstream_http_x_user - client_max_body_size: 1m - proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - # header_name: - # name: Header-X - # value: Value-X - # always: false - ssl: - cert: /etc/ssl/certs/default.crt - key: /etc/ssl/private/default.key - dhparam: /etc/ssl/private/dh_param.pem - protocols: TLSv1 TLSv1.1 TLSv1.2 - ciphers: HIGH:!aNULL:!MD5 - prefer_server_ciphers: true - session_cache: none - session_timeout: 5m - disable_session_tickets: false - trusted_cert: /etc/ssl/certs/root_CA_cert_plus_intermediates.crt - stapling: true - stapling_verify: true - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # custom_options: [] - web_server: - locations: - default: - location: / - include_files: [] - proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - # header_name: - # name: Header-X - # value: Value-X - # always: false - html_file_location: /usr/share/nginx/html - html_file_name: index.html - autoindex: false - auth_basic: null - auth_basic_user_file: null - try_files: $uri $uri/index.html $uri.html =404 - # auth_request: /auth - # auth_request_set: - # name: $auth_user - # value: $upstream_http_x_user - client_max_body_size: 1m - # returns: - # return302: - # code: 302 - # url: https://sso.somehost.local/?url=https://$http_host$request_uri - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # custom_options: [] - http_demo_conf: false - reverse_proxy: - locations: - backend: - location: / - include_files: [] - proxy_hide_headers: [] # A list of headers which shouldn't be passed to the application - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - # header_name: - # name: Header-X - # value: Value-X - # always: false - proxy_connect_timeout: null - proxy_pass: http://backend - # rewrites: - # - /foo(.*) /$1 break - # proxy_pass_request_body: off - # allows: - # - 192.168.1.0/24 - # denies: - # - all - proxy_set_header: - header_host: - name: Host - value: $host - header_x_real_ip: - name: X-Real-IP - value: $remote_addr - header_x_forwarded_for: - name: X-Forwarded-For - value: $proxy_add_x_forwarded_for - header_x_forwarded_proto: - name: X-Forwarded-Proto - value: $scheme - # header_upgrade: - # name: Upgrade - # value: $http_upgrade - # header_connection: - # name: Connection - # value: "Upgrade" - # header_random: - # name: RandomName - # value: RandomValue - # internal: false - # proxy_store: off - # proxy_store_acccess: user:rw - proxy_read_timeout: null - proxy_send_timeout: null - proxy_ssl: - cert: /etc/ssl/certs/proxy_default.crt - key: /etc/ssl/private/proxy_default.key - trusted_cert: /etc/ssl/certs/proxy_ca.crt - protocols: TLSv1 TLSv1.1 TLSv1.2 - ciphers: HIGH:!aNULL:!MD5 - verify: false - verify_depth: 1 - session_reuse: true - proxy_cache: backend_proxy_cache - proxy_cache_valid: - - code: 200 - time: 10m - - code: 301 - time: 1m - proxy_temp_path: - path: /var/cache/nginx/proxy/backend/temp - proxy_cache_lock: false - proxy_cache_min_uses: 3 - proxy_cache_revalidate: false - proxy_cache_use_stale: - - http_403 - - http_404 - proxy_ignore_headers: - - Vary - - Cache-Control - proxy_cookie_path: - path: /web/ - replacement: / - proxy_buffering: false - proxy_http_version: 1.0 - websocket: false - auth_basic: null - auth_basic_user_file: null - try_files: $uri $uri/index.html $uri.html =404 - # auth_request: /auth - # auth_request_set: - # name: $auth_user - # value: $upstream_http_x_user - # returns: - # return302: - # code: 302 - # url: https://sso.somehost.local/?url=https://$http_host$request_uri - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # custom_options: [] - health_check_plus: false - returns: - return301: - location: / - code: 301 - value: http://$host$request_uri - proxy_cache: - proxy_cache_path: - - path: /var/cache/nginx/proxy/backend - keys_zone: - name: backend_proxy_cache - size: 10m - levels: "1:2" - max_size: 10g - inactive: 60m - use_temp_path: true - proxy_temp_path: - path: /var/cache/nginx/proxy/temp - proxy_cache_valid: - - code: 200 - time: 10m - - code: 301 - time: 1m - proxy_cache_lock: true - proxy_cache_min_uses: 5 - proxy_cache_revalidate: true - proxy_cache_use_stale: - - error - - timeout - proxy_ignore_headers: - - Expires - upstreams: - upstream1: - name: backend - lb_method: least_conn - zone_name: backend_mem_zone - zone_size: 64k - sticky_cookie: false - servers: - server1: - address: localhost - port: 8081 - weight: 1 - health_check: max_fails=1 fail_timeout=10s - # custom_options: [] - # custom_options: [] - -# Enable NGINX status data. -# Will enable 'stub_status' in NGINX Open Source and 'status' in NGINX Plus. -# Note - 'status' has been deprecated since NGINX Plus R13. -# Default is false. -nginx_status_enable: false -nginx_status_location: /etc/nginx/conf.d/stub_status.conf -nginx_status_port: 80 - -# Enable NGINX Plus REST API, write access to the REST API, and NGINX Plus dashboard. -# Requires NGINX Plus. -# Default is false. -nginx_rest_api_enable: false -nginx_rest_api_template_file: http/api.conf.j2 -nginx_rest_api_file_location: /etc/nginx/conf.d/api.conf -nginx_rest_api_port: 80 -nginx_rest_api_write: false -nginx_rest_api_dashboard: false - -# Enable creating dynamic templated NGINX stream configuration files. -# Defaults will not produce a valid configuration. Instead they are meant to showcase -# the options available for templating. Each key represents a new configuration file. -nginx_stream_template_enable: false -nginx_stream_template: - default: - template_file: stream/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/stream/ - network_streams: - default: - listen_address: localhost - listen_port: 80 - udp_enable: false - include_files: [] - proxy_pass: backend - proxy_timeout: 3s - proxy_connect_timeout: 1s - proxy_protocol: false - proxy_ssl: - cert: /etc/ssl/certs/proxy_default.crt - key: /etc/ssl/private/proxy_default.key - trusted_cert: /etc/ssl/certs/proxy_ca.crt - protocols: TLSv1 TLSv1.1 TLSv1.2 - ciphers: HIGH:!aNULL:!MD5 - verify: false - verify_depth: 1 - session_reuse: true - health_check_plus: false - # custom_options: [] - upstreams: - upstream1: - name: backend - lb_method: least_conn - zone_name: backend - zone_size: 64k - sticky_cookie: false - servers: - server1: - address: localhost - port: 8080 - weight: 1 - health_check: max_fails=1 fail_timeout=10s - # custom_options: [] - # custom_options: [] diff --git a/ansible/roles/nginxinc.nginx/defaults/main/unit.yml b/ansible/roles/nginxinc.nginx/defaults/main/unit.yml deleted file mode 100644 index e2bce7b..0000000 --- a/ansible/roles/nginxinc.nginx/defaults/main/unit.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# Install NGINX Unit and NGINX Unit modules. -# Use a list of supported NGINX Unit modules. -# Default is false. -nginx_unit_enable: false -nginx_unit_modules: null diff --git a/ansible/roles/nginxinc.nginx/defaults/main/upload.yml b/ansible/roles/nginxinc.nginx/defaults/main/upload.yml deleted file mode 100644 index d6aca77..0000000 --- a/ansible/roles/nginxinc.nginx/defaults/main/upload.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Enable uploading NGINX configuration files to your system. -# Default for uploading files is false. -# Default location of files is the files folder within the NGINX Ansible role. -# Upload the main NGINX configuration file. -nginx_main_upload_enable: false -nginx_main_upload_src: conf/nginx.conf -nginx_main_upload_dest: /etc/nginx/ -# Upload HTTP NGINX configuration files. -nginx_http_upload_enable: false -nginx_http_upload_src: conf/http/*.conf -nginx_http_upload_dest: /etc/nginx/conf.d/ -# Upload Stream NGINX configuration files. -nginx_stream_upload_enable: false -nginx_stream_upload_src: conf/stream/*.conf -nginx_stream_upload_dest: /etc/nginx/conf.d/ -# Upload HTML files. -nginx_html_upload_enable: false -nginx_html_upload_src: www/* -nginx_html_upload_dest: /usr/share/nginx/html -# Upload SSL certificates and keys. -nginx_ssl_upload_enable: false -nginx_ssl_crt_upload_src: ssl/*.crt -nginx_ssl_crt_upload_dest: /etc/ssl/certs/ -nginx_ssl_key_upload_src: ssl/*.key -nginx_ssl_key_upload_dest: /etc/ssl/private/ diff --git a/ansible/roles/nginxinc.nginx/files/conf/http/.gitkeep b/ansible/roles/nginxinc.nginx/files/conf/http/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/nginxinc.nginx/files/conf/stream/.gitkeep b/ansible/roles/nginxinc.nginx/files/conf/stream/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/nginxinc.nginx/files/services/nginx.override.conf b/ansible/roles/nginxinc.nginx/files/services/nginx.override.conf new file mode 100644 index 0000000..2c99453 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/files/services/nginx.override.conf @@ -0,0 +1,2 @@ +[Service] +TimeoutStopSec=90 diff --git a/ansible/roles/nginxinc.nginx/files/ssl/.gitkeep b/ansible/roles/nginxinc.nginx/files/ssl/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/nginxinc.nginx/files/www/index.html b/ansible/roles/nginxinc.nginx/files/www/index.html deleted file mode 100644 index 77dc0b6..0000000 --- a/ansible/roles/nginxinc.nginx/files/www/index.html +++ /dev/null @@ -1,25 +0,0 @@ - - - -Welcome to nginx! - - - -

Welcome to nginx!

-

If you see this page, the nginx web server is successfully installed and -working. Further configuration is required.

- -

For online documentation and support please refer to -nginx.org.
-Commercial support is available at -nginx.com.

- -

Thank you for using nginx.

- - \ No newline at end of file diff --git a/ansible/roles/nginxinc.nginx/handlers/main.yml b/ansible/roles/nginxinc.nginx/handlers/main.yml index 5d58b86..76a99d9 100644 --- a/ansible/roles/nginxinc.nginx/handlers/main.yml +++ b/ansible/roles/nginxinc.nginx/handlers/main.yml @@ -1,39 +1,39 @@ --- -- name: "(Handler: All OSs) Run NGINX" - block: - - - name: "(Handler: All OSs) Start NGINX" - service: - name: nginx - state: started - enabled: yes - notify: "(Handler: All OSs) Check NGINX" - - - name: "(Handler: All OSs) Reload NGINX" - command: "nginx -s reload" - changed_when: false +- name: (Handler) Systemd daemon-reload + systemd: + daemon_reload: yes +- name: (Handler) Start/reload NGINX + service: + name: nginx + state: reloaded + enabled: yes when: - nginx_start | bool - - not ansible_check_mode + - not ansible_check_mode | bool + listen: (Handler) Run NGINX -- name: "(Handler: All OSs) Start NGINX Amplify Agent" +- name: (Handler) Check NGINX + command: nginx -t + register: config_check + ignore_errors: yes + check_mode: no + changed_when: false + listen: (Handler) Run NGINX + +- name: (Handler) Print NGINX error if syntax check fails + debug: + var: config_check.stderr_lines + failed_when: config_check.rc != 0 + when: + - config_check.stderr_lines is defined + - config_check.rc != 0 + listen: (Handler) Run NGINX + +- name: (Handler) Start NGINX Amplify agent service: name: amplify-agent state: started -- name: "(Handler: Debian/Ubuntu/CentOS/RedHat) Start NGINX Unit" - service: - name: unit - state: started - enabled: yes - -- name: "(Handler: FreeBSD) Start NGINX Unit" - service: - name: unitd - state: started - enabled: yes - -- name: "(Handler: All OSs) Check NGINX" - command: "nginx -t" - changed_when: false +- name: (Handler) Run logrotate + command: logrotate -f /etc/logrotate.d/nginx diff --git a/ansible/roles/nginxinc.nginx/meta/.galaxy_install_info b/ansible/roles/nginxinc.nginx/meta/.galaxy_install_info index 24f861e..935239a 100644 --- a/ansible/roles/nginxinc.nginx/meta/.galaxy_install_info +++ b/ansible/roles/nginxinc.nginx/meta/.galaxy_install_info @@ -1,2 +1,2 @@ -install_date: Fri May 15 21:51:16 2020 -version: 0.14.0 +install_date: Sat Feb 20 13:56:47 2021 +version: 0.19.1 diff --git a/ansible/roles/nginxinc.nginx/meta/main.yml b/ansible/roles/nginxinc.nginx/meta/main.yml index 0a3f86e..9055bb0 100644 --- a/ansible/roles/nginxinc.nginx/meta/main.yml +++ b/ansible/roles/nginxinc.nginx/meta/main.yml @@ -2,7 +2,8 @@ galaxy_info: author: Alessandro Fael Garcia description: Official Ansible role for NGINX - company: NGINX, Inc. + role_name: nginx + company: F5 Networks, Inc. license: Apache License, Version 2.0 @@ -11,19 +12,21 @@ galaxy_info: platforms: - name: Alpine versions: - - all + - any - name: Amazon versions: - - Candidate + - 2018.03 + - name: Amazon Linux 2 + versions: + - any - name: Debian versions: - - jessie - stretch - buster - name: EL versions: - - 6 - 7 + - 8 - name: FreeBSD versions: - 11.2 @@ -32,6 +35,7 @@ galaxy_info: versions: - xenial - bionic + - focal - name: SLES versions: - 12 @@ -40,11 +44,11 @@ galaxy_info: galaxy_tags: - nginx - oss + - opensource - plus - - amplify - - unit - web - server - development + - install dependencies: [] diff --git a/ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2 b/ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2 index c268a5b..a84fd9d 100644 --- a/ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2 +++ b/ansible/roles/nginxinc.nginx/molecule/common/Dockerfile.j2 @@ -17,27 +17,27 @@ ENV {{ var }} {{ value }} RUN \ if [ $(command -v apt-get) ]; then \ apt-get update \ - && apt-get install -y python3 sudo bash ca-certificates iproute2 python3-apt aptitude systemd systemd-sysv procps curl \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv vim \ && apt-get clean; \ elif [ $(command -v dnf) ]; then \ dnf makecache \ - && dnf --assumeyes install /usr/bin/python3 /usr/bin/python3-config /usr/bin/dnf-3 bash iproute \ + && dnf --assumeyes install bash iproute sudo /usr/bin/dnf-3 /usr/bin/python3 /usr/bin/python3-config vim \ && dnf clean all; \ elif [ $(command -v yum) ]; then \ yum makecache fast \ - && yum install -y /usr/bin/python /usr/bin/python2-config sudo yum-plugin-ovl bash iproute \ + && yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \ && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \ && yum clean all; \ elif [ $(command -v zypper) ]; then \ zypper refresh \ - && zypper install -y python3 sudo bash iproute2 \ + && zypper install -y bash iproute2 python3 sudo vim \ && zypper clean -a; \ elif [ $(command -v apk) ]; then \ apk update \ - && apk add --no-cache python3 sudo bash ca-certificates curl openrc; \ + && apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \ echo 'rc_provide="loopback net"' >> /etc/rc.conf; \ elif [ $(command -v xbps-install) ]; then \ xbps-install -Syu \ - && xbps-install -y python3 sudo bash ca-certificates iproute2 \ + && xbps-install -y bash ca-certificates iproute2 python3 sudo vim \ && xbps-remove -O; \ fi diff --git a/ansible/roles/nginxinc.nginx/molecule/common/files/http/default.conf b/ansible/roles/nginxinc.nginx/molecule/common/files/http/default.conf deleted file mode 100755 index 4559b82..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/files/http/default.conf +++ /dev/null @@ -1,44 +0,0 @@ -server { - listen 80; - server_name localhost; - - #charset koi8-r; - #access_log /var/log/nginx/host.access.log main; - - location / { - root /usr/share/nginx/html; - index index.html index.htm; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -} diff --git a/ansible/roles/nginxinc.nginx/molecule/common/files/nginx.conf b/ansible/roles/nginxinc.nginx/molecule/common/files/nginx.conf deleted file mode 100755 index ba09f41..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/files/nginx.conf +++ /dev/null @@ -1,31 +0,0 @@ -user nginx; -worker_processes 4; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/ansible/roles/nginxinc.nginx/molecule/common/files/www/.gitkeep b/ansible/roles/nginxinc.nginx/molecule/common/files/www/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_default.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_default.yml deleted file mode 100644 index aa04765..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_default.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Converge - hosts: all - pre_tasks: - - name: "Set repo if Alpine" - set_fact: - version: "=1.17.8-r1" - when: ansible_os_family == "Alpine" - - name: "Set repo if Debian" - set_fact: - version: "=1.17.8-1~{{ ansible_distribution_release }}" - when: ansible_os_family == "Debian" - - name: "Set repo if RedHat" - set_fact: - version: "-1.17.8-1.el{{ ansible_distribution_major_version }}.ngx" - when: ansible_os_family == "RedHat" - roles: - - role: ansible-role-nginx - vars: - nginx_version: "{{ version }}" diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_module.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_module.yml deleted file mode 100644 index 3f42b42..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_module.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: ansible-role-nginx - vars: - nginx_debug_output: true - - nginx_modules: - njs: true - perl: true - waf: false - geoip: true - image_filter: true - rtmp: true - xslt: true diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_source.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_source.yml deleted file mode 100644 index 808fd2f..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_source.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: ansible-role-nginx - vars: - nginx_debug_output: true - - nginx_install_from: source - nginx_branch: mainline - nginx_install_source_build_tools: true - nginx_install_source_pcre: false - nginx_install_source_openssl: true - nginx_install_source_zlib: false - - nginx_main_upload_enable: true - nginx_main_upload_src: files/nginx.conf - nginx_http_upload_enable: true - nginx_http_upload_src: files/http/*.conf diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_stable_push.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_stable_push.yml deleted file mode 100644 index c4841ae..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_stable_push.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: ansible-role-nginx - vars: - nginx_debug_output: true - - nginx_branch: stable - nginx_main_upload_enable: true - nginx_main_upload_src: files/nginx.conf - nginx_http_upload_enable: true - nginx_http_upload_src: files/http/*.conf diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_template.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_template.yml deleted file mode 100644 index 3ff9e57..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_template.yml +++ /dev/null @@ -1,353 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: ansible-role-nginx - vars: - nginx_debug_output: true - - nginx_main_template_enable: true - nginx_main_template: - template_file: nginx.conf.j2 - conf_file_name: nginx.conf - conf_file_location: /etc/nginx/ - user: nginx - worker_processes: auto - error_log: - location: /var/log/nginx/error.log - level: warn - worker_connections: 1024 - http_enable: true - http_settings: - access_log_format: - - name: main - format: | - '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"' - access_log_location: - - name: main - location: /var/log/nginx/access.log - keepalive_timeout: 65 - cache: false - rate_limit: false - keyval: false - server_tokens: "off" - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - stream_enable: true - http_global_autoindex: false - - nginx_http_template_enable: true - nginx_http_template: - app: - template_file: http/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - ip: 0.0.0.0 - port: 80 - opts: - - default_server - server_name: localhost - error_page: /usr/share/nginx/html - client_max_body_size: 512k - proxy_hide_headers: - - X-Powered-By - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - # custom_options: [] - reverse_proxy: - locations: - frontend: - location: / - proxy_hide_headers: - - X-Powered-By - add_headers: - strict_transport_security: - name: Strict-Transport-Security - value: max-age=15768000; includeSubDomains - always: true - another_header: - name: Fancy-New-Header-To-Test - value: testing=true - always: false - proxy_pass: http://frontend_servers/ - proxy_cache: frontend_proxy_cache - proxy_cache_valid: - - code: 200 - time: 10m - - code: 301 - time: 1m - proxy_temp_path: - path: /var/cache/nginx/proxy/frontend/temp - proxy_cache_lock: false - proxy_cache_min_uses: 3 - proxy_cache_revalidate: false - proxy_cache_use_stale: - - http_403 - - http_404 - proxy_ignore_headers: - - Vary - - Cache-Control - proxy_redirect: false - proxy_set_header: - header_host: - name: Host - value: $host - header_x_real_ip: - name: X-Real-IP - value: $remote_addr - header_x_forwarded_for: - name: X-Forwarded-For - value: $proxy_add_x_forwarded_for - header_x_forwarded_proto: - name: X-Forwarded-Proto - value: $scheme - proxy_buffering: false - client_max_body_size: 5m - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "on" - types: "text/html" - backend: - location: /backend - proxy_pass: http://backend_servers/ - proxy_cache: backend_proxy_cache - proxy_cache_valid: - - time: 10m - proxy_temp_path: - path: /var/cache/nginx/proxy/backend/temp - proxy_cache_lock: true - proxy_cache_min_uses: 2 - proxy_cache_revalidate: true - proxy_cache_use_stale: - - http_500 - - http_502 - - http_503 - proxy_redirect: default - proxy_set_header: - header_host: - name: Host - value: $host - header_x_real_ip: - name: X-Real-IP - value: $remote_addr - header_x_forwarded_for: - name: X-Forwarded-For - value: $proxy_add_x_forwarded_for - header_x_forwarded_proto: - name: X-Forwarded-Proto - value: $scheme - proxy_cookie_path: - path: /web/ - replacement: / - returns: - return301: - location: ^~ /old-path - code: 301 - value: http://$host/new-path - proxy_cache: - proxy_cache_path: - - path: /var/cache/nginx/proxy/frontend - keys_zone: - name: frontend_proxy_cache - size: 5m - levels: "1:2" - max_size: 5g - inactive: 30m - use_temp_path: true - - path: /var/cache/nginx/proxy/backend - keys_zone: - name: backend_proxy_cache - size: 10m - levels: "1:2" - max_size: 10g - inactive: 60m - use_temp_path: true - proxy_temp_path: - path: /var/cache/nginx/proxy/temp - proxy_cache_lock: true - proxy_cache_min_uses: 5 - proxy_cache_revalidate: true - proxy_cache_use_stale: - - error - - timeout - proxy_ignore_headers: - - Expires - upstreams: - frontend_upstream: - name: frontend_servers - lb_method: least_conn - zone_name: frontend_mem_zone - zone_size: 64k - sticky_cookie: false - servers: - frontend_server_1: - address: 0.0.0.0 - port: 8081 - weight: 1 - health_check: max_fails=3 fail_timeout=5s - backend_upstream: - name: backend_servers - lb_method: least_conn - zone_name: backend_mem_zone - zone_size: 64k - sticky_cookie: false - servers: - backend_server_1: - address: 0.0.0.0 - port: 8082 - weight: 1 - health_check: max_fails=3 fail_timeout=5s - frontend: - template_file: http/default.conf.j2 - conf_file_name: frontend_default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - port: 8081 - opts: [] - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - sub_filter: - sub_filters: - - "'server_hostname' '$hostname'" - - "'server_address' '$server_addr:$server_port'" - - "'server_url' '$request_uri'" - - "'remote_addr' '$remote_addr:$remote_port'" - - "'server_date' '$time_local'" - - "'client_browser' '$http_user_agent'" - - "'request_id' '$request_id'" - - "'nginx_version' '$nginx_version'" - - "'document_root' '$document_root'" - - "'proxied_for_ip' '$http_x_forwarded_for'" - last_modified: "off" - once: "off" - types: "text/html" - web_server: - locations: - frontend_site: - location: / - proxy_hide_headers: - - X-Powered-By - html_file_location: /usr/share/nginx/html - html_file_name: frontend_index.html - autoindex: false - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "off" - types: "text/html" - http_demo_conf: false - backend: - template_file: http/default.conf.j2 - conf_file_name: backend_default.conf - conf_file_location: /etc/nginx/conf.d/ - servers: - server1: - listen: - listen_localhost: - port: 8082 - opts: [] - server_name: localhost - error_page: /usr/share/nginx/html - autoindex: false - sub_filter: - sub_filters: - - "'server_hostname' '$hostname'" - - "'server_address' '$server_addr:$server_port'" - - "'server_url' '$request_uri'" - - "'remote_addr' '$remote_addr:$remote_port'" - - "'server_date' '$time_local'" - - "'client_browser' '$http_user_agent'" - - "'request_id' '$request_id'" - - "'nginx_version' '$nginx_version'" - - "'document_root' '$document_root'" - - "'proxied_for_ip' '$http_x_forwarded_for'" - last_modified: "off" - once: "off" - types: "text/html" - web_server: - locations: - backend_site: - location: / - html_file_location: /usr/share/nginx/html - html_file_name: backend_index.html - autoindex: false - php: - location: ~ \.php$ - html_file_location: /usr/share/nginx/html - autoindex: false - custom_options: - - fastcgi_split_path_info ^(.+\.php)(/.+)$ - - fastcgi_pass unix:/run/php/php7.2-fpm.sock - - fastcgi_index index.php - - include fastcgi_params - - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name - sub_filter: - # sub_filters: [] - last_modified: "off" - once: "off" - types: "text/html" - http_demo_conf: false - nginx_html_demo_template_enable: true - nginx_html_demo_template: - frontend: - template_file: www/index.html.j2 - html_file_name: frontend_index.html - html_file_location: /usr/share/nginx/html - web_server_name: Frontend - backend: - template_file: www/index.html.j2 - html_file_name: backend_index.html - html_file_location: /usr/share/nginx/html - web_server_name: Backend - - nginx_stream_template_enable: true - nginx_stream_template: - default: - template_file: stream/default.conf.j2 - conf_file_name: default.conf - conf_file_location: /etc/nginx/conf.d/stream - network_streams: - app: - listen_address: 0.0.0.0 - listen_port: 8090 - udp_enable: false - proxy_pass: backend - proxy_timeout: 3s - proxy_connect_timeout: 1s - proxy_protocol: false - health_check_plus: false - upstreams: - backend_upstream: - name: backend - lb_method: least_conn - zone_name: backend - zone_size: 64k - sticky_cookie: false - servers: - backend_server_1: - address: 0.0.0.0 - port: 8091 - weight: 1 - health_check: max_fails=1 fail_timeout=10s diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbook_unit.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbook_unit.yml deleted file mode 100644 index ee1dcc1..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/playbook_unit.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Converge - hosts: all - pre_tasks: - - name: "Set module if Alpine" - set_fact: - module: - - "unit-perl" - - "unit-php7" - - "unit-python3" - when: ansible_os_family == "Alpine" - - name: "Set module if Debian/RedHat" - set_fact: - module: - - "unit-perl" - - "unit-php" - - "unit-ruby" - when: ansible_os_family == "Debian" - - name: "Set module if RedHat" - set_fact: - module: - - "unit-php" - - "unit-go" - when: ansible_os_family == "RedHat" - roles: - - role: ansible-role-nginx - vars: - nginx_enable: false - nginx_unit_enable: true - nginx_unit_modules: "{{ module }}" diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_converge.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_converge.yml new file mode 100644 index 0000000..3700406 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_converge.yml @@ -0,0 +1,47 @@ +--- +- name: Converge + hosts: all + pre_tasks: + - name: Set repo if Alpine + set_fact: + version: "=1.19.1-r1" + when: ansible_facts['os_family'] == "Alpine" + - name: Set repo if Debian + set_fact: + version: "=1.19.1-1~{{ ansible_facts['distribution_release'] }}" + when: ansible_facts['os_family'] == "Debian" + - name: Set repo if Red Hat + set_fact: + version: "-1.19.1-1.el{{ ansible_facts['distribution_major_version'] }}.ngx" + when: ansible_facts['os_family'] == "RedHat" + - name: Enable NGINX @CentOS-AppStream dnf modules + shell: + args: + cmd: dnf module info nginx | grep -q 'Stream.*\[e\]' && echo -n ENABLED || dnf module enable -y nginx # noqa 204 303 + register: dnf_module_enable + changed_when: dnf_module_enable.stdout != 'ENABLED' + when: ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '==') + tasks: + - name: Install NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_debug_output: true + nginx_selinux: true + nginx_selinux_tcp_ports: + - 80 + - 443 + nginx_version: "{{ version }}" + nginx_configure: false + nginx_logrotate_conf_enable: true + nginx_logrotate_conf: + paths: + - /var/log/nginx/*.log + options: + - daily + - missingok + - rotate 14 + - compress + - delaycompress + - notifempty + - sharedscripts diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_verify.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_verify.yml new file mode 100644 index 0000000..8e590fb --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/default_verify.yml @@ -0,0 +1,24 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx + check_mode: yes + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_converge.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_converge.yml new file mode 100644 index 0000000..9c68740 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_converge.yml @@ -0,0 +1,26 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NGINX modules + include_role: + name: ansible-role-nginx + vars: + nginx_debug_output: true + + nginx_service_modify: true + nginx_service_timeout: 95 + nginx_selinux: true + nginx_selinux_tcp_ports: + - 80 + - 443 + + nginx_modules: + - brotli + - geoip + - image-filter + - name: njs + # version: =1.19.4+0.4.4-1~bionic + state: present + - perl + - xslt diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_verify.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_verify.yml new file mode 100644 index 0000000..8e590fb --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/module_verify.yml @@ -0,0 +1,24 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx + check_mode: yes + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_converge.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_converge.yml new file mode 100644 index 0000000..696ffd8 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_converge.yml @@ -0,0 +1,32 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NGINX + include_role: + name: ansible-role-nginx + vars: + nginx_type: plus + nginx_license: + certificate: license/nginx-repo.crt + key: license/nginx-repo.key + nginx_remove_license: false + nginx_modules: + - auth-spnego + - brotli + - cookie-flag + - encrypted-session + - geoip + - geoip2 + - headers-more + - image-filter + - lua + - modsecurity + - njs + - opentracing + - passenger + - perl + - prometheus + - rtmp + - subs-filter + - xslt diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_prepare.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_prepare.yml new file mode 100644 index 0000000..594d5ee --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_prepare.yml @@ -0,0 +1,18 @@ +--- +- name: Prepare + hosts: localhost + gather_facts: false + tasks: + - name: Create ephemeral license certificate file from b64 decoded env var + copy: + content: "{{ lookup('env','NGINX_CRT') | b64decode }}" + dest: ../../../files/license/nginx-repo.crt + force: no + mode: 0444 + + - name: Create ephemeral license key file from b64 decoded env var + copy: + content: "{{ lookup('env','NGINX_KEY') | b64decode }}" + dest: ../../../files/license/nginx-repo.key + force: no + mode: 0444 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_verify.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_verify.yml new file mode 100644 index 0000000..2c1c78f --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/plus_verify.yml @@ -0,0 +1,24 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX is installed + package: + name: nginx-plus + check_mode: yes + register: install + failed_when: (install is changed) or (install is failed) + + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_converge.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_converge.yml new file mode 100644 index 0000000..534fc85 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_converge.yml @@ -0,0 +1,16 @@ +--- +- name: Converge + hosts: all + tasks: + - name: Install NGINX from source + include_role: + name: ansible-role-nginx + vars: + nginx_debug_output: true + + nginx_install_from: source + nginx_branch: stable + nginx_install_source_build_tools: true + nginx_install_source_pcre: true + nginx_install_source_openssl: true + nginx_install_source_zlib: true diff --git a/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_verify.yml b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_verify.yml new file mode 100644 index 0000000..d69320c --- /dev/null +++ b/ansible/roles/nginxinc.nginx/molecule/common/playbooks/source_verify.yml @@ -0,0 +1,17 @@ +--- +- name: Verify + hosts: all + tasks: + - name: Check if NGINX service is running + service: + name: nginx + state: started + enabled: yes + check_mode: yes + register: service + failed_when: (service is changed) or (service is failed) + + - name: Verify NGINX is up and running + uri: + url: http://localhost + status_code: 200 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_default/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_default/test_default.py deleted file mode 100644 index 8d12025..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_default/test_default.py +++ /dev/null @@ -1,30 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_is_installed(host): - ngx = host.package("nginx") - assert ngx.is_installed - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_module/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_module/test_default.py deleted file mode 100644 index 8d12025..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_module/test_default.py +++ /dev/null @@ -1,30 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_is_installed(host): - ngx = host.package("nginx") - assert ngx.is_installed - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_source/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_source/test_default.py deleted file mode 100644 index 24fcbab..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_source/test_default.py +++ /dev/null @@ -1,25 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_stable_push/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_stable_push/test_default.py deleted file mode 100644 index c695962..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_stable_push/test_default.py +++ /dev/null @@ -1,42 +0,0 @@ -import nginx -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_is_installed(host): - ngx = host.package("nginx") - assert ngx.is_installed - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout - - -def test_generated_files(host): - assert host.file('/etc/nginx/conf.d/default.conf').exists - - -def test_default_server(host): - f = host.file('/etc/nginx/conf.d/default.conf') - c = nginx.loads(f.content_string) - lf = c.server.filter('Location', '/') - assert len(lf) == 1 diff --git a/ansible/roles/nginxinc.nginx/molecule/common/test_template/test_default.py b/ansible/roles/nginxinc.nginx/molecule/common/test_template/test_default.py deleted file mode 100644 index 0b79c97..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/common/test_template/test_default.py +++ /dev/null @@ -1,58 +0,0 @@ -import nginx -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_nginx_is_installed(host): - ngx = host.package("nginx") - assert ngx.is_installed - - -def test_nginx_running_and_enabled(host): - ngx = host.service("nginx") - assert ngx.is_running - assert ngx.is_enabled - - -def test_hosts_file(host): - ngx = host.file('/etc/hosts') - assert ngx.exists - assert ngx.user == 'root' - assert ngx.group == 'root' - - -def test_endpoint(host): - command = """curl -I http://localhost/""" - cmd = host.run(command) - assert '200 OK' in cmd.stdout - - -def test_generated_files(host): - assert host.file('/etc/nginx/conf.d/default.conf').exists - assert host.file('/etc/nginx/conf.d/frontend_default.conf').exists - assert host.file('/etc/nginx/conf.d/backend_default.conf').exists - - -def test_default_server(host): - f = host.file('/etc/nginx/conf.d/default.conf') - c = nginx.loads(f.content_string) - lf = c.server.filter('Location', '/') - assert len(lf) == 1 - lb = c.server.filter('Location', '/backend') - assert len(lb) == 1 - - -def test_client_max_body_size(host): - f = host.file('/etc/nginx/conf.d/default.conf') - c = nginx.loads(f.content_string) - vs = c.server.filter('Key', 'client_max_body_size') - assert len(vs) == 1 - assert vs[0].value == '512k' - lc = c.server.filter('Location', '/') - vl = lc[0].filter('Key', 'client_max_body_size') - assert len(vl) == 1 - assert vl[0].value == '5m' diff --git a/ansible/roles/nginxinc.nginx/molecule/default/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/default/molecule.yml index 9a5c3a6..ad780a3 100644 --- a/ansible/roles/nginxinc.nginx/molecule/default/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/default/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: debian-stretch image: debian:stretch-slim @@ -35,10 +34,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_default.yml -verifier: - name: testinfra - directory: ../common/test_default + converge: ../common/playbooks/default_converge.yml + verify: ../common/playbooks/default_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml index 8fea6a0..84342fb 100644 --- a/ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/default_alpine/molecule.yml @@ -4,23 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - name: alpine-3.10 image: alpine:3.10 dockerfile: ../common/Dockerfile.j2 @@ -35,10 +20,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_default.yml -verifier: - name: testinfra - directory: ../common/test_default + converge: ../common/playbooks/default_converge.yml + verify: ../common/playbooks/default_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml index 11b030f..7ae1cde 100644 --- a/ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/default_centos/molecule.yml @@ -4,12 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - name: centos-7 image: centos:7 dockerfile: ../common/Dockerfile.j2 @@ -27,7 +23,5 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_default.yml -verifier: - name: testinfra - directory: ../common/test_default + converge: ../common/playbooks/default_converge.yml + verify: ../common/playbooks/default_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/module/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/module/molecule.yml index 2e12f7e..d1f3cba 100644 --- a/ansible/roles/nginxinc.nginx/molecule/module/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/module/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: debian-stretch image: debian:stretch-slim @@ -35,10 +34,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_module.yml -verifier: - name: testinfra - directory: ../common/test_module + converge: ../common/playbooks/module_converge.yml + verify: ../common/playbooks/module_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml index 8de545e..06140c8 100644 --- a/ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/module_alpine/molecule.yml @@ -4,23 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - name: alpine-3.10 image: alpine:3.10 dockerfile: ../common/Dockerfile.j2 @@ -35,10 +20,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_module.yml -verifier: - name: testinfra - directory: ../common/test_module + converge: ../common/playbooks/module_converge.yml + verify: ../common/playbooks/module_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml index 0b09e78..aaac71a 100644 --- a/ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/module_centos/molecule.yml @@ -4,12 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - name: centos-7 image: centos:7 dockerfile: ../common/Dockerfile.j2 @@ -27,7 +23,5 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_module.yml -verifier: - name: testinfra - directory: ../common/test_module + converge: ../common/playbooks/module_converge.yml + verify: ../common/playbooks/module_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/unit/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/plus/molecule.yml similarity index 70% rename from ansible/roles/nginxinc.nginx/molecule/unit/molecule.yml rename to ansible/roles/nginxinc.nginx/molecule/plus/molecule.yml index 71585a8..6f3dbd5 100644 --- a/ansible/roles/nginxinc.nginx/molecule/unit/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/plus/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: debian-stretch image: debian:stretch-slim @@ -35,7 +34,16 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_unit.yml + prepare: ../common/playbooks/plus_prepare.yml + converge: ../common/playbooks/plus_converge.yml + verify: ../common/playbooks/plus_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/unit_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/plus_alpine/molecule.yml similarity index 63% rename from ansible/roles/nginxinc.nginx/molecule/unit_alpine/molecule.yml rename to ansible/roles/nginxinc.nginx/molecule/plus_alpine/molecule.yml index cd02977..92956e1 100644 --- a/ansible/roles/nginxinc.nginx/molecule/unit_alpine/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/plus_alpine/molecule.yml @@ -4,32 +4,24 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - name: alpine-3.10 - image: alpine:3.10 + image: python:alpine3.10 dockerfile: ../common/Dockerfile.j2 privileged: true volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" - name: alpine-3.11 - image: alpine:3.11 + image: python:alpine3.11 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 dockerfile: ../common/Dockerfile.j2 privileged: true volumes: @@ -38,4 +30,6 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_unit.yml + prepare: ../common/playbooks/plus_prepare.yml + converge: ../common/playbooks/plus_converge.yml + verify: ../common/playbooks/plus_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/unit_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/plus_centos/molecule.yml similarity index 72% rename from ansible/roles/nginxinc.nginx/molecule/unit_centos/molecule.yml rename to ansible/roles/nginxinc.nginx/molecule/plus_centos/molecule.yml index bd73ca0..40f02db 100644 --- a/ansible/roles/nginxinc.nginx/molecule/unit_centos/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/plus_centos/molecule.yml @@ -4,12 +4,8 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - name: centos-7 image: centos:7 dockerfile: ../common/Dockerfile.j2 @@ -27,4 +23,6 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_unit.yml + prepare: ../common/playbooks/plus_prepare.yml + converge: ../common/playbooks/plus_converge.yml + verify: ../common/playbooks/plus_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/source/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/source/molecule.yml index a2028ed..75efa0f 100644 --- a/ansible/roles/nginxinc.nginx/molecule/source/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/source/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: debian-stretch image: debian:stretch-slim @@ -35,10 +34,15 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: - converge: ../common/playbook_source.yml -verifier: - name: testinfra - directory: ../common/test_source + converge: ../common/playbooks/source_converge.yml + verify: ../common/playbooks/source_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml index a5b2919..a23bdaa 100644 --- a/ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/source_alpine/molecule.yml @@ -4,32 +4,24 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - name: alpine-3.10 - image: python:alpine3.10 + image: alpine:3.10 dockerfile: ../common/Dockerfile.j2 privileged: true volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" - name: alpine-3.11 - image: python:alpine3.11 + image: alpine:3.11 + dockerfile: ../common/Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: alpine-3.12 + image: alpine:3.12 dockerfile: ../common/Dockerfile.j2 privileged: true volumes: @@ -38,7 +30,5 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_source.yml -verifier: - name: testinfra - directory: ../common/test_source + converge: ../common/playbooks/source_converge.yml + verify: ../common/playbooks/source_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml index 1fff5be..1e29674 100644 --- a/ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml +++ b/ansible/roles/nginxinc.nginx/molecule/source_centos/molecule.yml @@ -4,8 +4,7 @@ driver: lint: | set -e yamllint . - ansible-lint - flake8 + ansible-lint --force-color platforms: - name: centos-7 image: centos:7 @@ -24,7 +23,5 @@ platforms: provisioner: name: ansible playbooks: - converge: ../common/playbook_source.yml -verifier: - name: testinfra - directory: ../common/test_source + converge: ../common/playbooks/source_converge.yml + verify: ../common/playbooks/source_verify.yml diff --git a/ansible/roles/nginxinc.nginx/molecule/stable_push/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/stable_push/molecule.yml deleted file mode 100644 index 40c6990..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/stable_push/molecule.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: debian-stretch - image: debian:stretch-slim - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: debian-buster - image: debian:buster-slim - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: ubuntu-xenial - image: ubuntu:xenial - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: ubuntu-bionic - image: ubuntu:bionic - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_stable_push.yml -verifier: - name: testinfra - directory: ../common/test_stable_push diff --git a/ansible/roles/nginxinc.nginx/molecule/stable_push_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/stable_push_alpine/molecule.yml deleted file mode 100644 index c2753f3..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/stable_push_alpine/molecule.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.10 - image: alpine:3.10 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.11 - image: alpine:3.11 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_stable_push.yml -verifier: - name: testinfra - directory: ../common/test_stable_push diff --git a/ansible/roles/nginxinc.nginx/molecule/stable_push_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/stable_push_centos/molecule.yml deleted file mode 100644 index c5f1884..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/stable_push_centos/molecule.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - - name: centos-7 - image: centos:7 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/usr/sbin/init" - - name: centos-8 - image: centos:8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/usr/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_stable_push.yml -verifier: - name: testinfra - directory: ../common/test_stable_push diff --git a/ansible/roles/nginxinc.nginx/molecule/template/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/template/molecule.yml deleted file mode 100644 index 541fee0..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/template/molecule.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: debian-stretch - image: debian:stretch-slim - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: debian-buster - image: debian:buster-slim - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: ubuntu-xenial - image: ubuntu:xenial - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: ubuntu-bionic - image: ubuntu:bionic - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_template.yml -verifier: - name: testinfra - directory: ../common/test_template diff --git a/ansible/roles/nginxinc.nginx/molecule/template_alpine/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/template_alpine/molecule.yml deleted file mode 100644 index a646a5b..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/template_alpine/molecule.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: alpine-3.8 - image: alpine:3.8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.9 - image: alpine:3.9 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.10 - image: alpine:3.10 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" - - name: alpine-3.11 - image: alpine:3.11 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_template.yml -verifier: - name: testinfra - directory: ../common/test_template diff --git a/ansible/roles/nginxinc.nginx/molecule/template_centos/molecule.yml b/ansible/roles/nginxinc.nginx/molecule/template_centos/molecule.yml deleted file mode 100644 index 3b0f745..0000000 --- a/ansible/roles/nginxinc.nginx/molecule/template_centos/molecule.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -dependency: - name: shell - command: pip install python-nginx -driver: - name: docker -lint: | - set -e - yamllint . - ansible-lint - flake8 -platforms: - - name: centos-6 - image: centos:6 - dockerfile: ../common/Dockerfile.j2 - - name: centos-7 - image: centos:7 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/usr/sbin/init" - - name: centos-8 - image: centos:8 - dockerfile: ../common/Dockerfile.j2 - privileged: true - volumes: - - "/sys/fs/cgroup:/sys/fs/cgroup:rw" - command: "/usr/sbin/init" -provisioner: - name: ansible - playbooks: - converge: ../common/playbook_template.yml -verifier: - name: testinfra - directory: ../common/test_template diff --git a/ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml b/ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml index 9204abf..2a06fed 100644 --- a/ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml +++ b/ansible/roles/nginxinc.nginx/tasks/amplify/install-amplify.yml @@ -1,24 +1,23 @@ --- -- import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" +- name: Configure NGINX Amplify agent repository + include_tasks: "{{ role_path }}/tasks/amplify/setup-{{ ansible_facts['os_family'] | lower }}.yml" + when: ansible_facts['os_family'] in ['Debian', 'RedHat'] -- import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" - -- name: "(Install: All OSs) Install NGINX Amplify Agent" +- name: Install NGINX Amplify agent package: name: nginx-amplify-agent state: present -- name: "(Setup: All OSs) Copy NGINX Configurator Agent Configuration Template" +- name: Copy NGINX configurator agent configuration template copy: remote_src: yes src: /etc/amplify-agent/agent.conf.default dest: /etc/amplify-agent/agent.conf + mode: 0644 -- name: "(Setup: All OSs) Configure NGINX Amplify Agent API Key" +- name: Configure NGINX Amplify agent API key lineinfile: dest: /etc/amplify-agent/agent.conf regexp: api_key =.* line: "api_key = {{ nginx_amplify_api_key }}" - notify: "(Handler: All OSs) Start NGINX Amplify Agent" + notify: (Handler) Start NGINX Amplify agent diff --git a/ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml b/ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml index 224a076..c8e5d15 100644 --- a/ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml +++ b/ansible/roles/nginxinc.nginx/tasks/amplify/setup-debian.yml @@ -1,5 +1,17 @@ --- -- name: "(Install: Debian/Ubuntu) Add NGINX Amplify Agent Repository" +- name: (Debian/Ubuntu) Add NGINX Amplify agent repository apt_repository: filename: nginx-amplify - repo: deb [arch=amd64] http://packages.amplify.nginx.com/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} amplify-agent + repo: "deb [arch=amd64] https://packages.amplify.nginx.com/{{ ansible_facts['distribution'] | lower }}/ + {{ ansible_facts['distribution_release'] | lower }} amplify-agent" + update_cache: yes + mode: 0644 + when: ansible_facts['distribution_release'] != "focal" + +- name: (Ubuntu 20.04) Add NGINX Amplify agent repository + apt_repository: + filename: nginx-amplify + repo: deb [arch=amd64] https://packages.amplify.nginx.com/py3/ubuntu focal amplify-agent + update_cache: yes + mode: 0644 + when: ansible_facts['distribution_release'] == "focal" diff --git a/ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml b/ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml index 154da5e..ba332d8 100644 --- a/ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml +++ b/ansible/roles/nginxinc.nginx/tasks/amplify/setup-redhat.yml @@ -1,8 +1,9 @@ --- -- name: "(Install: CentOS/RedHat/Amazon Linux) Add NGINX Amplify Agent Repository" +- name: (Amazon Linux/CentOS/RHEL) Add NGINX Amplify agent repository yum_repository: name: nginx-amplify - baseurl: http://packages.amplify.nginx.com/{{ (ansible_distribution == "Amazon") | ternary('amzn/', 'centos/') }}/$releasever/$basearch/ + baseurl: http://packages.amplify.nginx.com/{{ (ansible_facts['distribution'] == "Amazon") | ternary('amzn/', 'centos/') }}/$releasever/$basearch/ description: NGINX Amplify Agent enabled: yes gpgcheck: yes + mode: 0644 diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/cleanup-config.yml b/ansible/roles/nginxinc.nginx/tasks/conf/cleanup-config.yml deleted file mode 100644 index 9eb405c..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/cleanup-config.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: "(Setup: All OSs) Remove NGINX configuration files" - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ nginx_cleanup_config_path }}" - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/debug-output.yml b/ansible/roles/nginxinc.nginx/tasks/conf/debug-output.yml deleted file mode 100644 index 6ad7ba1..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/debug-output.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: "(Setup: All OSs) Register NGINX configuration" - command: nginx -T - changed_when: false - register: nginx_configuration - -- name: "(Setup: All OSs) Print NGINX configuration" - debug: - var: nginx_configuration.stdout_lines diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/setup-status.yml b/ansible/roles/nginxinc.nginx/tasks/conf/setup-status.yml deleted file mode 100644 index a69c43e..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/setup-status.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: "(Setup: NGINX Open Source) Enable NGINX Open Source Status" - blockinfile: - path: "{{ nginx_status_location }}" - create: yes - block: | - server { - listen 127.0.0.1:{{ nginx_status_port | default('80') }}; - location /nginx_status { - stub_status on; - allow 127.0.0.1; - deny all; - } - } - when: nginx_type == "opensource" - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: NGINX Plus) Enable NGINX Plus Status" - blockinfile: - path: "{{ nginx_status_location }}" - create: yes - block: | - server { - listen 127.0.0.1:{{ nginx_status_port | default('80') }}; - location /status { - status; - allow 127.0.0.1; - deny all; - } - } - when: nginx_type == "plus" - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/template-config.yml b/ansible/roles/nginxinc.nginx/tasks/conf/template-config.yml deleted file mode 100644 index 21205f0..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/template-config.yml +++ /dev/null @@ -1,81 +0,0 @@ ---- -- name: "(Setup: All NGINX) Ensure HTML Directory Exists" - file: - path: "{{ item.value.html_file_location | default('/usr/share/nginx/html') }}" - state: directory - with_dict: "{{ nginx_html_demo_template }}" - when: nginx_html_demo_template_enable | bool - -- name: "(Setup: All NGINX) Dynamically Generate HTML Files" - template: - src: "{{ item.value.template_file | default('www/index.html.j2') }}" - dest: "{{ item.value.html_file_location | default('/usr/share/nginx/html') }}/{{ item.value.html_file_name | default('index.html') }}" - backup: yes - with_dict: "{{ nginx_html_demo_template }}" - when: nginx_html_demo_template_enable | bool - -- name: "(Setup: All NGINX) Ensure NGINX Main Directory Exists" - file: - path: "{{ nginx_main_template.conf_file_location | default('/etc/nginx') }}" - state: directory - when: nginx_main_template_enable | bool - -- name: "(Setup: All NGINX) Dynamically Generate NGINX Main Configuration File" - template: - src: "{{ nginx_main_template.template_file | default('nginx.conf.j2') }}" - dest: "{{ nginx_main_template.conf_file_location | default('/etc/nginx') }}/{{ nginx_main_template.conf_file_name | default('nginx.conf') }}" - backup: yes - when: nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure NGINX HTTP Directory Exists" - file: - path: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/') }}" - state: directory - with_dict: "{{ nginx_http_template }}" - when: nginx_http_template_enable | bool - -- name: "(Setup: All NGINX) Ensure NGINX Proxy Cache Directories Exist" - file: - path: "{{ item.1.path }}" - state: directory - owner: "{{ nginx_main_template.user | default('nginx') }}" - with_subelements: - - "{{ nginx_http_template }}" - - proxy_cache.proxy_cache_path - - skip_missing: true - when: nginx_http_template_enable | bool - -- name: "(Setup: All NGINX) Dynamically Generate NGINX HTTP Configuration Files" - template: - src: "{{ item.value.template_file | default('http/default.conf.j2') }}" - dest: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/') }}/{{ item.value.conf_file_name | default('default.conf') }}" - backup: yes - with_dict: "{{ nginx_http_template }}" - when: nginx_http_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - - -- name: "(Setup: All NGINX) Dynamically Generate NGINX API Configuration File" - template: - src: "{{ nginx_rest_api_template_file | default('http/api.conf.j2') }}" - dest: "{{ nginx_rest_api_file_location | default('/etc/nginx/conf.d/api.conf') }}" - backup: yes - notify: "(Handler: All OSs) Reload NGINX" - when: nginx_rest_api_enable | bool - -- name: "(Setup: All NGINX) Ensure NGINX Stream Directory Exists" - file: - path: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/stream/') }}" - state: directory - with_dict: "{{ nginx_stream_template }}" - when: nginx_stream_template_enable | bool - -- name: "(Setup: All NGINX) Dynamically Generate NGINX Stream Configuration Files" - template: - src: "{{ item.value.template_file | default('stream/default.conf.j2') }}" - dest: "{{ item.value.conf_file_location | default('/etc/nginx/conf.d/stream/') }}/{{ item.value.conf_file_name | default('default.conf') }}" - backup: yes - with_dict: "{{ nginx_stream_template }}" - notify: "(Handler: All OSs) Reload NGINX" - when: nginx_stream_template_enable | bool diff --git a/ansible/roles/nginxinc.nginx/tasks/conf/upload-config.yml b/ansible/roles/nginxinc.nginx/tasks/conf/upload-config.yml deleted file mode 100644 index 66c68dd..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/conf/upload-config.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -- name: "(Setup: All NGINX) Ensure NGINX Main Directory Exists" - file: - path: "{{ nginx_main_upload_dest | default('/etc/nginx/') }}" - state: directory - when: nginx_main_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX Main Configuration File" - copy: - src: "{{ nginx_main_upload_src | default('conf/nginx.conf') }}" - dest: "{{ nginx_main_upload_dest | default('/etc/nginx/') }}" - backup: yes - when: nginx_main_upload_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure NGINX HTTP Directory Exists" - file: - path: "{{ nginx_http_upload_dest | default('/etc/nginx/conf.d/') }}" - state: directory - when: nginx_http_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX HTTP Configuration Files" - copy: - src: "{{ item }}" - dest: "{{ nginx_http_upload_dest | default('/etc/nginx/conf.d/') }}" - backup: yes - with_fileglob: "{{ nginx_http_upload_src }}" - when: nginx_http_upload_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure NGINX Stream Directory Exists" - file: - path: "{{ nginx_stream_upload_dest | default('/etc/nginx/conf.d/') }}" - state: directory - when: nginx_stream_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX Stream Configuration Files" - copy: - src: "{{ item }}" - dest: "{{ nginx_stream_upload_dest | default('/etc/nginx/conf.d/') }}" - backup: yes - with_fileglob: "{{ nginx_stream_upload_src }}" - when: nginx_stream_upload_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure NGINX HTML Directory Exists" - file: - path: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}" - state: directory - when: nginx_html_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX HTML Files" - copy: - src: "{{ item }}" - dest: "{{ nginx_html_upload_dest | default('/usr/share/nginx/html') }}" - backup: yes - with_fileglob: "{{ nginx_html_upload_src }}" - when: nginx_html_upload_enable | bool - notify: "(Handler: All OSs) Reload NGINX" - -- name: "(Setup: All NGINX) Ensure SSL Certificate Directory Exists" - file: - path: "{{ nginx_ssl_crt_upload_dest | default('/etc/ssl/certs/') }}" - state: directory - when: nginx_ssl_upload_enable | bool - -- name: "(Setup: All NGINX) Ensure SSL Key Directory Exists" - file: - path: "{{ nginx_ssl_key_upload_dest | default('/etc/ssl/private/') }}" - state: directory - when: nginx_ssl_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX SSL Certificates" - copy: - src: "{{ item }}" - dest: "{{ nginx_ssl_crt_upload_dest | default('/etc/ssl/certs/') }}" - mode: 0640 - decrypt: yes - backup: yes - with_fileglob: "{{ nginx_ssl_crt_upload_src }}" - when: nginx_ssl_upload_enable | bool - -- name: "(Setup: All NGINX) Upload NGINX SSL Keys" - copy: - src: "{{ item }}" - dest: "{{ nginx_ssl_key_upload_dest | default('/etc/ssl/private/') }}" - mode: 0640 - decrypt: yes - backup: yes - with_fileglob: "{{ nginx_ssl_key_upload_src }}" - no_log: yes - when: nginx_ssl_upload_enable | bool diff --git a/ansible/roles/nginxinc.nginx/tasks/config/debug-output.yml b/ansible/roles/nginxinc.nginx/tasks/config/debug-output.yml new file mode 100644 index 0000000..0ea0a41 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/config/debug-output.yml @@ -0,0 +1,12 @@ +--- +- name: Register NGINX config + command: nginx -T + ignore_errors: "{{ ansible_check_mode }}" + check_mode: no + changed_when: false + register: config_full + +- name: Print NGINX config + debug: + var: config_full.stdout_lines + when: config_full.stdout_lines is defined diff --git a/ansible/roles/nginxinc.nginx/tasks/config/modify-systemd.yml b/ansible/roles/nginxinc.nginx/tasks/config/modify-systemd.yml new file mode 100644 index 0000000..cad1b25 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/config/modify-systemd.yml @@ -0,0 +1,37 @@ +--- +- name: Create override directory for NGINX systemd service + file: + path: "{{ nginx_service_overridepath }}" + state: directory + mode: 0755 + +- name: Create override for NGINX systemd service + template: + src: "{{ role_path }}/templates/services/nginx.service.override.conf.j2" + dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}" + owner: root + group: root + mode: 0644 + when: + - not nginx_service_custom | bool + - not nginx_service_clean | bool + notify: (Handler) Systemd daemon-reload + +- name: Customize override for NGINX systemd service + copy: + src: "{{ nginx_service_custom_file }}" + dest: "{{ nginx_service_overridepath }}/{{ nginx_service_overridefilename }}" + owner: root + group: root + mode: 0644 + when: + - nginx_service_custom | bool + - not nginx_service_clean | bool + notify: (Handler) Systemd daemon-reload + +- name: Remove override for NGINX systemd service + file: + path: "{{ nginx_service_overridepath }}" + state: absent + when: nginx_service_clean | bool + notify: (Handler) Systemd daemon-reload diff --git a/ansible/roles/nginxinc.nginx/tasks/config/setup-logrotate.yml b/ansible/roles/nginxinc.nginx/tasks/config/setup-logrotate.yml new file mode 100644 index 0000000..a01c629 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/config/setup-logrotate.yml @@ -0,0 +1,36 @@ +--- +- name: (Alpine Linux) Install logrotate + apk: + name: logrotate + when: ansible_facts['os_family'] == "Alpine" + +- name: (Debian/Ubuntu) Install logrotate + apt: + name: logrotate + state: present + when: ansible_facts['os_family'] == "Debian" + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL) Install logrotate + yum: + name: logrotate + state: present + when: ansible_facts['os_family'] == "RedHat" + +- name: (SLES) Set up logrotate + block: + - name: (SLES) Configure logrotate repository + zypper_repository: + repo: https://download.opensuse.org/repositories/openSUSE:Leap:42.1/standard/openSUSE:Leap:42.1.repo + + - name: (SLES) Install Logrotate + zypper: + name: logrotate + state: present + when: ansible_facts['os_family'] == "Suse" + +- name: Create logrotate config + template: + src: logrotate/nginx.j2 + dest: /etc/logrotate.d/nginx + mode: 0644 + notify: (Handler) Run logrotate diff --git a/ansible/roles/nginxinc.nginx/tasks/keys/apk-key.yml b/ansible/roles/nginxinc.nginx/tasks/keys/apk-key.yml deleted file mode 100644 index 131634d..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/keys/apk-key.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: "(Install: APK OSs) Set Default APK NGINX Signing Key URL" - set_fact: - default_keysite: https://nginx.org/keys/nginx_signing.rsa.pub - -- name: "(Install: APK OSs) Set APK NGINX Signing Key URL" - set_fact: - keysite: "{{ nginx_signing_key | default(default_keysite) }}" - -- name: "(Install: APK OSs) Download NGINX Signing Key" - get_url: - url: "{{ keysite }}" - dest: /etc/apk/keys/nginx_signing.rsa.pub diff --git a/ansible/roles/nginxinc.nginx/tasks/keys/apt-key.yml b/ansible/roles/nginxinc.nginx/tasks/keys/apt-key.yml deleted file mode 100644 index ef7f140..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/keys/apt-key.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: "(Install: APT OSs) Set Default APT NGINX Signing Key URL" - set_fact: - default_keysite: https://nginx.org/keys/nginx_signing.key - -- name: "(Install: APT OSs) Set APT NGINX Signing Key URL" - set_fact: - keysite: "{{ nginx_signing_key | default(default_keysite) }}" - -- name: "(Install: APT OSs) Add APT NGINX Signing Key" - apt_key: - url: "{{ keysite }}" diff --git a/ansible/roles/nginxinc.nginx/tasks/keys/rpm-key.yml b/ansible/roles/nginxinc.nginx/tasks/keys/rpm-key.yml deleted file mode 100644 index 0323d56..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/keys/rpm-key.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: "(Install: RPM OSs) Set Default RPM NGINX Signing Key" - set_fact: - default_keysite: >- - {{ (ansible_distribution_major_version|int == 6) - | ternary('http://nginx.org/keys/nginx_signing.key', 'https://nginx.org/keys/nginx_signing.key') }} - -- name: "(Install: RPM OSs) Set RPM NGINX Signing Key URL" - set_fact: - keysite: "{{ nginx_signing_key | default(default_keysite) }}" - -- name: "(Install: RPM OSs) Add RPM NGINX Signing Key" - rpm_key: - key: "{{ keysite }}" diff --git a/ansible/roles/nginxinc.nginx/tasks/keys/setup-keys.yml b/ansible/roles/nginxinc.nginx/tasks/keys/setup-keys.yml new file mode 100644 index 0000000..fb9dccc --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/keys/setup-keys.yml @@ -0,0 +1,31 @@ +--- +- name: (Alpine Linux) Set up signing key + block: + - name: (Alpine Linux) Set up NGINX signing key URL + set_fact: + keysite: "{{ nginx_signing_key | default(nginx_default_signing_key_rsa_pub) }}" + + - name: (Alpine Linux) Download NGINX signing key + get_url: + url: "{{ keysite }}" + dest: /etc/apk/keys/nginx_signing.rsa.pub + mode: 0400 + when: ansible_facts['os_family'] == "Alpine" + +- name: (Debian/Red Hat/SLES OSs) Set up NGINX signing key URL + set_fact: + keysite: "{{ nginx_signing_key | default(nginx_default_signing_key_pgp) }}" + when: ansible_facts['os_family'] != "Alpine" + +- name: (Debian/Ubuntu) Add NGINX signing key + apt_key: + id: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 + url: "{{ keysite }}" + when: ansible_facts['os_family'] == "Debian" + +- name: (Amazon Linux/CentOS/Oracle Linux/RHEL/SLES) Add NGINX signing key + rpm_key: + fingerprint: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 + key: "{{ keysite }}" + validate_certs: "{{ (ansible_facts['distribution_major_version'] is version('6', '==')) | ternary('no', 'yes') }}" + when: ansible_facts['os_family'] in ['RedHat', 'Suse'] diff --git a/ansible/roles/nginxinc.nginx/tasks/main.yml b/ansible/roles/nginxinc.nginx/tasks/main.yml index ead4e9b..59a2865 100644 --- a/ansible/roles/nginxinc.nginx/tasks/main.yml +++ b/ansible/roles/nginxinc.nginx/tasks/main.yml @@ -1,85 +1,88 @@ --- -- import_tasks: prerequisites/install-prerequisites.yml +- name: Check whether you are using a supported NGINX distribution + assert: + that: (nginx_type == "opensource" and ansible_facts['distribution'] in nginx_distributions) + or (nginx_type == "plus" and ansible_facts['distribution'] in nginx_plus_distributions) + success_msg: "Your OS, {{ ansible_facts['distribution'] }} is supported by NGINX {{ (nginx_type=='plus') | ternary('Plus', 'Open Source') }}" + fail_msg: "Your OS, {{ ansible_facts['distribution'] }} is not supported by NGINX {{ (nginx_type=='plus') | ternary('Plus', 'Open Source') }}" + when: + - nginx_install | bool + - (nginx_install_from == "nginx_repository" or nginx_type == "plus") + ignore_errors: yes + tags: nginx_check_support + +- name: Set up prerequisites + include_tasks: "{{ role_path }}/tasks/prerequisites/prerequisites.yml" tags: nginx_prerequisites -- import_tasks: keys/apt-key.yml - when: - - ansible_os_family == "Debian" - - nginx_install_from == "nginx_repository" - or nginx_amplify_enable - or nginx_unit_enable - tags: nginx_aptkey +- name: Set up signing keys + include_tasks: "{{ role_path }}/tasks/keys/setup-keys.yml" + when: (nginx_install | bool and nginx_install_from == "nginx_repository") + or nginx_amplify_enable | bool + tags: nginx_key -- import_tasks: keys/rpm-key.yml - when: - - ansible_os_family == "RedHat" - or ansible_os_family == "Suse" - - nginx_install_from == "nginx_repository" - or nginx_amplify_enable - or nginx_unit_enable - tags: nginx_rpmkey - -- import_tasks: keys/apk-key.yml - when: ansible_os_family == "Alpine" - tags: nginx_apkkey - -- name: "(Install: Debian/Ubuntu/CentOS/RedHat/FreeBSD) Install NGINX" +- name: Install and Configure NGINX block: + - name: Install NGINX + block: + - name: Install NGINX Open Source + include_tasks: "{{ role_path }}/tasks/opensource/install-oss.yml" + when: nginx_type == "opensource" + tags: nginx_install_oss - - import_tasks: opensource/install-oss.yml - when: nginx_type == "opensource" - tags: nginx_install_oss + - name: Set up NGINX Plus license + include_tasks: "{{ role_path }}/tasks/plus/setup-license.yml" + when: + - nginx_type == "plus" + - nginx_setup_license | bool + tags: nginx_setup_license - - import_tasks: plus/install-plus.yml - when: nginx_type == "plus" - tags: nginx_install_plus + - name: Install NGINX Plus + include_tasks: "{{ role_path }}/tasks/plus/install-{{ ansible_facts['os_family'] | lower }}.yml" + when: nginx_type == "plus" + tags: nginx_install_plus - - import_tasks: conf/cleanup-config.yml - when: nginx_cleanup_config | bool - tags: nginx_cleanup_config + - name: Install NGINX modules + include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml" + when: + - nginx_modules is defined + - nginx_modules | length > 0 + tags: nginx_install_modules - - import_tasks: conf/upload-config.yml - when: nginx_main_upload_enable - or nginx_http_upload_enable - or nginx_stream_upload_enable - or nginx_html_upload_enable - or nginx_ssl_upload_enable - tags: nginx_upload_config + - name: Remove NGINX Plus license + include_tasks: "{{ role_path }}/tasks/plus/remove-license.yml" + when: + - nginx_type == "plus" + - nginx_remove_license | bool + tags: nginx_remove_license - - import_tasks: conf/template-config.yml - when: nginx_main_template_enable - or nginx_http_template_enable - or nginx_stream_template_enable - or nginx_rest_api_enable - tags: nginx_template_config + - name: Modify systemd parameters + include_tasks: "{{ role_path }}/tasks/config/modify-systemd.yml" + when: + - ansible_facts['service_mgr'] == "systemd" + - nginx_service_modify | bool + tags: nginx_modify_systemd + when: nginx_install | bool + tags: nginx_install - - import_tasks: conf/setup-status.yml - when: nginx_status_enable | bool - tags: nginx_setup_status + - name: Ensure NGINX is running + meta: flush_handlers - - import_tasks: modules/install-modules.yml - when: true in nginx_modules.values() - tags: nginx_install_modules - - - import_tasks: conf/debug-output.yml + - name: Debug NGINX output + include_tasks: "{{ role_path }}/tasks/config/debug-output.yml" when: nginx_debug_output | bool tags: nginx_debug_output - - import_tasks: plus/delete-license.yml - when: - - nginx_type == "plus" - - nginx_delete_license - tags: nginx_delete_license - + - name: Configure logrotate for NGINX + include_tasks: "{{ role_path }}/tasks/config/setup-logrotate.yml" + when: nginx_logrotate_conf_enable | bool + tags: nginx_logrotate_config when: nginx_enable | bool -- import_tasks: amplify/install-amplify.yml +- name: Install NGINX Amplify + include_tasks: "{{ role_path }}/tasks/amplify/install-amplify.yml" when: - nginx_amplify_enable | bool - nginx_amplify_api_key is defined - nginx_amplify_api_key | length > 0 tags: nginx_install_amplify - -- import_tasks: unit/install-unit.yml - when: nginx_unit_enable | bool - tags: nginx_install_unit diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-geoip.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-geoip.yml deleted file mode 100644 index 124d0f0..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-geoip.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: "(Install: CentOS) Install GeoIP Required CentOS Dependencies" - yum: - name: - - epel-release - when: ansible_distribution == "CentOS" - -- name: "(Install: All OSs) Install NGINX Open Source GeoIP Module" - package: - name: "nginx-module-geoip{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus GeoIP Module" - package: - name: "nginx-plus-module-geoip{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX GeoIP Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: "{{ item }}" - with_items: - - load_module modules/ngx_http_geoip_module.so; - - load_module modules/ngx_stream_geoip_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-image-filter.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-image-filter.yml deleted file mode 100644 index bbce180..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-image-filter.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source Image Filter Module" - package: - name: "nginx-module-image-filter{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus Image Filter Module" - package: - name: "nginx-plus-module-image-filter{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX Image Filter Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_image_filter_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-modules.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-modules.yml index d055fe4..51e6c87 100644 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-modules.yml +++ b/ansible/roles/nginxinc.nginx/tasks/modules/install-modules.yml @@ -1,28 +1,33 @@ --- -- import_tasks: install-njs.yml - when: nginx_modules.njs | default(false) - -- import_tasks: install-perl.yml - when: nginx_modules.perl | default(false) - -- import_tasks: install-geoip.yml +- name: (CentOS) Install GeoIP dependencies + yum: + name: epel-release when: - - nginx_modules.geoip | default(false) - - ansible_os_family != "RedHat" - - ansible_distribution_major_version != "8" + - ansible_facts['distribution'] == "CentOS" + - '"geoip" in nginx_modules' -- import_tasks: install-image-filter.yml - when: nginx_modules.image_filter | default(false) - -- import_tasks: install-rtmp.yml +- name: Install NGINX modules + package: + name: "nginx-{{ (nginx_type == 'plus') | ternary('plus-', '') }}module-{{ item.name | default(item) }}\ + {{ item.version | default(nginx_version) | default('') }}" + state: "{{ item.state | default('present') }}" + loop: "{{ nginx_modules }}" when: - - nginx_modules.rtmp | default(false) - - nginx_type == "plus" - -- import_tasks: install-xslt.yml - when: nginx_modules.xslt | default(false) - -- import_tasks: install-waf.yml - when: - - nginx_modules.waf | default(false) - - nginx_type == "plus" + - (item.name | default(item) in nginx_modules_list and nginx_type == 'opensource') + or (item.name | default(item) in nginx_plus_modules_list and nginx_type == 'plus') + - not (item.name | default(item) == "auth-spnego") + or not (ansible_facts['os_family'] == "Alpine" and (ansible_facts['distribution_version'] | regex_search('^[0-9]+\\.[0-9]+') is version('3.8', '=='))) + - not (item.name | default(item) == "geoip") + or not ((ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '==')) + or (ansible_facts['os_family'] == "FreeBSD")) + - not (item.name | default(item) == "brotli") + or not ((ansible_facts['os_family'] == "Alpine") + or (ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('8', '<')) + or (ansible_facts['os_family'] == "Debian" and ansible_facts['distribution_major_version'] is version('9', '==')) + or (ansible_facts['os_family'] == "Suse" and ansible_facts['distribution_major_version'] is version('12', '<')) + or (ansible_facts['distribution'] == "Amazon") + or (ansible_facts['distribution'] == "OracleLinux")) + - not (item.name | default(item) == "geoip2") or not (ansible_facts['os_family'] == "Suse") + - not (item.name | default(item) == "opentracing") + or not ((ansible_facts['os_family'] == "Suse" and ansible_facts['distribution_major_version'] is version('12', '==')) + or (ansible_facts['os_family'] == "RedHat" and ansible_facts['distribution_major_version'] is version('6', '=='))) diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-njs.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-njs.yml deleted file mode 100644 index f0a2a8a..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-njs.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source JavaScript Module" - package: - name: "nginx-module-njs{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus JavaScript Module" - package: - name: "nginx-plus-module-njs{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX JavaScript Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: "{{ item }}" - with_items: - - load_module modules/ngx_http_js_module.so; - - load_module modules/ngx_stream_js_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-perl.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-perl.yml deleted file mode 100644 index eb8fac3..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-perl.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: "(Install: All OSs) Install Perl Dependency" - package: - name: perl - state: present - -- name: "(Install: All OSs) Install NGINX Open Source Perl Module" - package: - name: "nginx-module-perl{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus Perl Module" - package: - name: "nginx-plus-module-perl{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX Perl Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_perl_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-rtmp.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-rtmp.yml deleted file mode 100644 index 77b1dfd..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-rtmp.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Plus RTMP Module" - package: - name: "nginx-plus-module-rtmp{{ nginx_version | default('') }}" - state: present - -- name: "(Setup: All NGINX) Load NGINX RTMP Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_rtmp_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-waf.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-waf.yml deleted file mode 100644 index 806cfd3..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-waf.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Plus WAF Module" - package: - name: "nginx-plus-module-modsecurity{{ nginx_version | default('') }}" - state: present - -- name: "(Setup: NGINX Plus) Load NGINX Plus WAF Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_modsecurity_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/modules/install-xslt.yml b/ansible/roles/nginxinc.nginx/tasks/modules/install-xslt.yml deleted file mode 100644 index d73f552..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/modules/install-xslt.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source XSLT Module" - package: - name: "nginx-module-xslt{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus XSLT Module" - package: - name: "nginx-plus-module-xslt{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX XSLT Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_xslt_filter_module.so; - when: not nginx_main_template_enable - notify: "(Handler: All OSs) Reload NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-alpine.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-alpine.yml new file mode 100644 index 0000000..a884a9d --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-alpine.yml @@ -0,0 +1,15 @@ +--- +- name: (Alpine Linux) Configure NGINX repository + lineinfile: + path: /etc/apk/repositories + insertafter: EOF + line: "{{ nginx_repository | default(nginx_default_repository_alpine) }}" + +- name: (Alpine Linux) Install NGINX + apk: + name: "nginx{{ nginx_version | default('') }}" + repository: "{{ nginx_repository | default(nginx_default_repository_alpine) }}" + state: "{{ nginx_state }}" + update_cache: yes + ignore_errors: "{{ ansible_check_mode }}" + notify: (Handler) Run NGINX diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-bsd.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-bsd.yml new file mode 100644 index 0000000..de78d65 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-bsd.yml @@ -0,0 +1,78 @@ +--- +- name: (FreeBSD) Update ports + block: + - name: (FreeBSD) Fetch ports + command: portsnap fetch --interactive + args: + creates: /var/db/portsnap/INDEX + + - name: (FreeBSD) Extract ports + command: portsnap extract + args: + creates: /usr/ports + when: + - ansible_facts['system'] == "FreeBSD" + - nginx_bsd_update_ports | bool + +- name: (FreeBSD) Install NGINX + block: + - name: (FreeBSD) Install NGINX package + pkgng: + name: "www/nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + when: nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + + - name: (FreeBSD) Install NGINX port + portinstall: + name: "www/nginx{{ nginx_version | default('') }}" + use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}" + state: "{{ nginx_state }}" + when: not nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + when: ansible_facts['system'] == "FreeBSD" + +- name: (OpenBSD) Install NGINX + block: + - name: (OpenBSD) Install NGINX package + openbsd_pkg: + name: "nginx{{ nginx_version | default('') }}" + build: no + state: "{{ nginx_state }}" + when: nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + + - name: (OpenBSD) Install NGINX port + openbsd_pkg: + name: "nginx{{ nginx_version | default('') }}" + build: yes + state: "{{ nginx_state }}" + when: not nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + when: ansible_facts['system'] == "OpenBSD" + +- name: (NetBSD) Install NGINX + block: + - name: (NetBSD) Install NGINX package + command: "pkg_add www/nginx{{ nginx_version | default('') }}" + when: nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + + - name: (NetBSD) Install NGINX port + fail: + msg: "{{ ansible_facts['system'] }} Install NGINX port not implemented." + when: not nginx_bsd_install_packages | bool + when: ansible_facts['system'] == "NetBSD" + +- name: (DragonFlyBSD/HardenedBSD) Install NGINX + block: + - name: (DragonFlyBSD/HardenedBSD) Install NGINX package + command: "pkg install www/nginx{{ nginx_version | default('') }}" + when: nginx_bsd_install_packages | bool + notify: (Handler) Run NGINX + + - name: (DragonFlyBSD/HardenedBSD) Install NGINX port + fail: + msg: "{{ ansible_facts['system'] }} Install NGINX port not implemented." + when: not nginx_bsd_install_packages | bool + when: ansible_facts['system'] in ['DragonFlyBSD', 'HardenedBSD'] diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-debian.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-debian.yml new file mode 100644 index 0000000..8f1253c --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-debian.yml @@ -0,0 +1,15 @@ +--- +- name: (Debian/Ubuntu) Configure NGINX repository + apt_repository: + filename: nginx + repo: "{{ item }}" + update_cache: yes + mode: 0644 + loop: "{{ nginx_repository | default(nginx_default_repository_debian) }}" + +- name: (Debian/Ubuntu) Install NGINX + apt: + name: "nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + ignore_errors: "{{ ansible_check_mode }}" + notify: (Handler) Run NGINX diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-bsd.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-bsd.yml deleted file mode 100644 index b8b5997..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-bsd.yml +++ /dev/null @@ -1,103 +0,0 @@ ---- -- name: "(Install: FreeBSD) Update ports" - block: - - - name: "(Install: FreeBSD) Fetch Ports" - command: portsnap fetch --interactive - args: - creates: /var/db/portsnap/INDEX - - - name: "(Install: FreeBSD) Extract Ports" - command: portsnap extract - args: - creates: /usr/ports - - when: - - ansible_system == 'FreeBSD' - - nginx_bsd_update_ports - -- name: "(Install: FreeBSD)" - block: - - - name: "(Install: FreeBSD) Install NGINX package" - pkgng: - name: "www/nginx{{ nginx_version | default('') }}" - state: "{{ nginx_state }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: FreeBSD) Install NGINX port" - portinstall: - name: "www/nginx{{ nginx_version | default('') }}" - use_packages: "{{ nginx_bsd_portinstall_use_packages | default(omit) }}" - state: "{{ nginx_state }}" - when: not nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - when: ansible_system == 'FreeBSD' - -- name: "(Install: OpenBSD)" - block: - - - name: "(Install: OpenBSD) Install NGINX package" - openbsd_pkg: - name: "nginx{{ nginx_version | default('') }}" - build: false - state: "{{ nginx_state }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: OpenBSD) Install NGINX port" - openbsd_pkg: - name: "nginx{{ nginx_version | default('') }}" - build: true - state: "{{ nginx_state }}" - when: not nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - when: ansible_system == 'OpenBSD' - -- name: "(Install: NetBSD)" - block: - - - name: "(Install: NetBSD) Install NGINX package" - command: "pkg_add www/nginx{{ nginx_version | default('') }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: NetBSD) Install NGINX port" - fail: - msg: "{{ ansible_system }} Install NGINX port not implemented." - when: not nginx_bsd_install_packages - - when: ansible_system == 'NetBSD' - -- name: "(Install: DragonFlyBSD)" - block: - - - name: "(Install: DragonFlyBSD) Install NGINX package" - command: "pkg install www/nginx{{ nginx_version | default('') }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: DragonFlyBSD) Install NGINX port" - fail: - msg: "{{ ansible_system }} Install NGINX port not implemented." - when: not nginx_bsd_install_packages - - when: ansible_system == 'DragonFlyBSD' - -- name: "(Install: HardenedBSD)" - block: - - - name: "(Install: HardenedBSD) Install NGINX package" - command: "pkg install www/nginx{{ nginx_version | default('') }}" - when: nginx_bsd_install_packages - notify: "(Handler: All OSs) Start NGINX" - - - name: "(Install: HardenedBSD) Install NGINX port" - fail: - msg: "{{ ansible_system }} Install NGINX port not implemented." - when: not nginx_bsd_install_packages - - when: ansible_system == 'HardenedBSD' diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-linux.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-linux.yml deleted file mode 100644 index 3525e63..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss-linux.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: "(Install: Linux) Configure NGINX repo" - block: - - - import_tasks: setup-alpine.yml - when: ansible_os_family == "Alpine" - - - import_tasks: setup-debian.yml - when: ansible_os_family == "Debian" - - - import_tasks: setup-redhat.yml - when: ansible_os_family == "RedHat" - - - import_tasks: setup-suse.yml - when: ansible_os_family == "Suse" - - when: nginx_install_from == "nginx_repository" - -- name: "(Install: Linux) Install NGINX from source" - import_tasks: setup-source.yml - when: nginx_install_from == "source" - -- name: "(Install: Linux) Install NGINX package" - package: - name: "nginx{{ nginx_version | default('') }}" - state: "{{ nginx_state }}" - when: nginx_install_from == "os_repository" - notify: "(Handler: All OSs) Start NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss.yml index a2b8584..1a573ad 100644 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss.yml +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-oss.yml @@ -1,8 +1,22 @@ --- -- name: "(Install: OSS Linux)" - import_tasks: install-oss-linux.yml - when: ansible_os_family in nginx_linux_families +- name: Install NGINX in Linux systems + block: + - name: Install NGINX from repository + include_tasks: "{{ role_path }}/tasks/opensource/install-{{ ansible_facts['os_family'] | lower }}.yml" + when: nginx_install_from == "nginx_repository" -- name: "(Install: OSS BSD)" - import_tasks: install-oss-bsd.yml - when: ansible_system in nginx_bsd_systems + - name: Install NGINX from source + include_tasks: "{{ role_path }}/tasks/opensource/install-source.yml" + when: nginx_install_from == "source" + + - name: Install NGINX from package + package: + name: "nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + when: nginx_install_from == "os_repository" + notify: (Handler) Run NGINX + when: ansible_facts['system'] | lower is not search('bsd') + +- name: Install NGINX in Unix systems + include_tasks: "{{ role_path }}/tasks/opensource/install-bsd.yml" + when: ansible_facts['system'] | lower is search('bsd') diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-redhat.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-redhat.yml new file mode 100644 index 0000000..6fc1691 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-redhat.yml @@ -0,0 +1,34 @@ +--- +- name: (CentOS/RHEL 6/7) Configure NGINX repository + yum_repository: + name: nginx + baseurl: "{{ nginx_repository | default(nginx_default_repository_redhat) }}" + description: NGINX Repository + enabled: yes + gpgcheck: yes + mode: 0644 + when: ansible_facts['distribution_major_version'] is version('8', '<') + +- name: (CentOS/RHEL 8) Configure NGINX repository + blockinfile: + path: /etc/yum.repos.d/nginx.repo + create: yes + block: | + [nginx] + baseurl = {{ nginx_repository | default(nginx_default_repository_redhat) }} + enabled = 1 + gpgcheck = 1 + name = NGINX Repository + module_hotfixes = true + mode: 0644 + when: ansible_facts['distribution_major_version'] is version('8', '==') + +- name: (CentOS/RHEL) Install NGINX + yum: + name: "nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + disablerepo: "*" + enablerepo: nginx + update_cache: yes + ignore_errors: "{{ ansible_check_mode }}" + notify: (Handler) Run NGINX diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-source.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-source.yml new file mode 100644 index 0000000..af2cf8d --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-source.yml @@ -0,0 +1,450 @@ +--- +- name: Check for build tools + block: + - name: (CentOS/RHEL 8) Setup Python 3 + block: + - name: (CentOS/RHEL 8) Install Python 3 + yum: + name: + - python3 + - python3-pip + - python3-devel + update_cache: yes + + - name: (Centos/RHEL 8) Set Python 3 as default + alternatives: + name: python + path: /usr/bin/python3 + link: /usr/bin/python + when: + - ansible_facts['os_family'] == "RedHat" + - ansible_facts['distribution_major_version'] is version('8', '==') + + - name: (Centos/RHEL) Install build tools + yum: + name: + - "@Development tools" + - ca-certificates + - gcc + - gd + - gd-devel + - glibc + - glibc-common + - perl-core + - wget + - zlib-devel + update_cache: yes + when: ansible_facts['os_family'] == "RedHat" + + - name: (Debian) Install backports repo for 'buster' + apt_repository: + filename: buster-backports + repo: deb http://ftp.us.debian.org/debian buster-backports main + update_cache: yes + mode: 0644 + when: ansible_facts['distribution_release'] == "buster" + + - name: (Debian/Ubuntu) Install build tools + apt: + name: + - build-essential + - checkinstall + - libtemplate-perl + - python3-minimal + - perl + - tar + - zlib1g-dev + update_cache: yes + when: ansible_facts['os_family'] == "Debian" + + - name: (Alpine Linux) Install build tools + apk: + name: + - alpine-sdk + - build-base + - git + - openrc + - perl + - python3 + - linux-headers + - tar + - wget + update_cache: yes + when: ansible_facts['os_family'] == "Alpine" + + - name: (Alpine Linux) Enable OpenRC + copy: + content: "" + dest: /run/openrc/softlevel + force: no + owner: root + mode: 0644 + when: ansible_facts['os_family'] == "Alpine" + when: nginx_install_source_build_tools | bool + +- name: Check for source installs + block: + - name: Check for PCRE install + stat: + path: /tmp/{{ pcre_version }} + register: pcre_result + + - name: Check for ZLib install + stat: + path: /tmp/{{ zlib_version }} + register: zlib_result + + - name: Check for OpenSSL install + stat: + path: /tmp/{{ openssl_version }} + register: openssl_result + +- name: (CentOS/RHEL) Install PCRE dependency from package + yum: + name: pcre-devel + update_cache: yes + when: + - nginx_install_source_pcre | bool + - ansible_facts['os_family'] == "RedHat" + +- name: (Debian/Ubuntu) Install PCRE dependency from package + apt: + name: libpcre3-dev + update_cache: yes + when: + - nginx_install_source_pcre | bool + - ansible_facts['os_family'] == "Debian" + +- name: (Alpine Linux) Install PCRE dependency from package + apk: + name: pcre-dev + update_cache: yes + when: + - nginx_install_source_pcre | bool + - ansible_facts['os_family'] == "Alpine" + +- name: Install PCRE dependence from source + block: + - name: Download PCRE dependency + get_url: + url: "https://ftp.pcre.org/pub/pcre/{{ pcre_version }}.tar.gz" + dest: "/tmp/{{ pcre_version }}.tar.gz" + mode: 0600 + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + register: pcre_source + + - name: Unpack PCRE dependency + unarchive: + copy: no + dest: /tmp/ + src: "{{ pcre_source.dest }}" + mode: 0700 + + - name: Configure PCRE dependency + command: ./configure + args: + chdir: "/tmp/{{ pcre_version }}" + + - name: Make PCRE dependency + make: + chdir: "/tmp/{{ pcre_version }}" + + - name: Install PCRE dependency + make: + chdir: "/tmp/{{ pcre_version }}" + target: install + when: + - not pcre_result.stat.exists | bool + - not nginx_install_source_pcre | bool + - not ansible_check_mode | bool + +- name: (Centos/RHEL) Install ZLib dependency from package + yum: + name: zlib-devel + update_cache: yes + when: + - nginx_install_source_zlib | bool + - ansible_facts['os_family'] == "RedHat" + +- name: (Debian/Ubuntu) Install ZLib dependency from package + apt: + name: zlib1g-dev + update_cache: true + when: + - nginx_install_source_zlib | bool + - ansible_facts['os_family'] == "Debian" + +- name: (Alpine Linux) Install ZLib dependency from package + apk: + name: zlib-dev + update_cache: yes + when: + - nginx_install_source_zlib | bool + - ansible_facts['os_family'] == "Alpine" + +- name: Install ZLib dependency from source + block: + - name: Download ZLib dependency + get_url: + url: "https://zlib.net/{{ zlib_version }}.tar.gz" + dest: "/tmp/{{ zlib_version }}.tar.gz" + mode: 0600 + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + register: zlib_source + + - name: Unpack ZLib dependency + unarchive: + copy: no + dest: /tmp/ + src: "{{ zlib_source.dest }}" + mode: 0700 + + - name: Configure ZLib dependency + command: ./configure + args: + chdir: "/tmp/{{ zlib_version }}" + + - name: Make ZLib dependency + make: + chdir: "/tmp/{{ zlib_version }}" + + - name: Install ZLib dependency + make: + chdir: "/tmp/{{ zlib_version }}" + target: install + when: + - not zlib_result.stat.exists | bool + - not nginx_install_source_zlib | bool + - not ansible_check_mode | bool + +- name: (CentOS/RHEL) Install OpenSSL dependency from package + yum: + name: openssl-devel + update_cache: yes + when: + - nginx_install_source_openssl | bool + - ansible_facts['os_family'] == "RedHat" + +- name: (Debian/Ubuntu) Install OpenSSL dependency from package + apt: + name: libssl-dev + update_cache: yes + when: + - nginx_install_source_openssl | bool + - ansible_facts['os_family'] == "Debian" + +- name: (Alpine Linux) Install OpenSSL dependency from package + apk: + name: openssl-dev + update_cache: yes + when: + - nginx_install_source_openssl | bool + - ansible_facts['os_family'] == "Alpine" + +- name: Install OpenSSL dependency from source + block: + - name: Download OpenSSL dependency + get_url: + url: "https://www.openssl.org/source/{{ openssl_version }}.tar.gz" + dest: "/tmp/{{ openssl_version }}.tar.gz" + mode: 0600 + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + register: openssl_source + + - name: Unpack OpenSSL dependency + unarchive: + copy: no + dest: /tmp/ + src: "{{ openssl_source.dest }}" + mode: 0700 + + - name: Configure OpenSSL dependency + command: ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib + args: + chdir: "/tmp/{{ openssl_version }}" + + - name: Make OpenSSL dependency + make: + chdir: "/tmp/{{ openssl_version }}" + + - name: Install OpenSSL dependency + make: + chdir: "/tmp/{{ openssl_version }}" + target: install + when: + - not openssl_result.stat.exists | bool + - not nginx_install_source_openssl | bool + - not ansible_check_mode | bool + +- name: Get NGINX version + block: + - name: Fetch NGINX version + uri: + url: https://trac.nginx.org/nginx/browser + return_content: yes + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + check_mode: no + register: nginx_versions + + - name: Set NGINX mainline version + set_fact: + nginx_version: "{{ nginx_versions.content | regex_search('release[^<]*') | regex_replace('release', 'nginx') }}" + when: nginx_branch == "mainline" + + - name: Set NGINX stable version 1/2 + set_fact: + nginx_version: "{{ nginx_versions.content | regex_search('stable[^<]*') | regex_replace('stable', 'release') }}" + when: nginx_branch == "stable" + + - name: Set NGINX stable version 2/2 + set_fact: + nginx_version: "{{ nginx_versions.content | regex_search(nginx_version + '[^<]*') | regex_replace('release', 'nginx') }}" + when: nginx_branch == "stable" + + - name: Set NGINX download filename + set_fact: + nginx_download_name: "{{ nginx_version }}" + + - name: Check for NGINX install + stat: + path: /usr/sbin/nginx + follow: yes + register: nginx_result + +- name: Add NGINX user + user: + name: nginx + +- name: Install NGINX + block: + - name: Download NGINX + get_url: + url: "https://nginx.org/download/{{ nginx_download_name }}.tar.gz" + dest: "/tmp/{{ nginx_download_name }}.tar.gz" + mode: 0600 + validate_certs: "{{ (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] is version('6', '==')) + | ternary('no', 'yes') }}" + register: nginx_source + + - name: Unpack NGINX + unarchive: + copy: no + dest: /tmp/ + src: "{{ nginx_source.dest }}" + mode: 0755 + + - name: Configure NGINX + command: >- + ./configure + --conf-path=/etc/nginx/nginx.conf + --error-log-path=/var/log/nginx/error.log + --http-log-path=/var/log/nginx/access.log + --lock-path=/var/lock/nginx.lock + --modules-path=/usr/lib/nginx/modules + --prefix=/usr + --pid-path=/var/run/nginx.pid + --with-http_ssl_module + --with-mail=dynamic + --with-stream + {{ nginx_install_source_pcre | ternary('', '--with-pcre=../' + pcre_version) }} + {{ nginx_install_source_zlib | ternary('', '--with-zlib=../' + zlib_version) }} + {{ nginx_install_source_openssl | ternary('', '--with-openssl=../' + openssl_version) }} + args: + chdir: "/tmp/{{ nginx_version }}" + register: nginx_configure + + - name: Make NGINX + make: + chdir: "/tmp/{{ nginx_version }}" + + - name: Install NGINX + make: + chdir: "/tmp/{{ nginx_version }}" + target: install + + - name: Upload systemd NGINX service file + copy: + src: services/nginx.systemd + dest: /lib/systemd/system/nginx.service + owner: root + group: root + mode: 0644 + when: ansible_facts['service_mgr'] == "systemd" + + - name: Enable systemd NGINX service file + systemd: + daemon_reload: yes + name: nginx + state: restarted + enabled: yes + when: ansible_facts['service_mgr'] == "systemd" + notify: "(Handler) Run NGINX" + + - name: Upload upstart NGINX service file + copy: + src: services/nginx.upstart + dest: /etc/init.d/nginx + owner: root + group: root + mode: 0755 + when: ansible_facts['service_mgr'] == "upstart" + + - name: Upload Upstart NGINX service conf file + copy: + src: services/nginx.conf.upstart + dest: /etc/init/nginx.conf + owner: root + group: root + mode: 0644 + when: ansible_facts['service_mgr'] == "upstart" + + - name: Enable Upstart NGINX service reload + command: initctl reload-configuration + when: ansible_facts['service_mgr'] == "upstart" + + - name: Start Upstart NGINX service reload + command: nginx + when: ansible_facts['service_mgr'] == "upstart" + notify: "(Handler) Run NGINX" + + - name: Upload SysVinit NGINX service file + copy: + src: services/nginx.sysvinit + dest: /etc/init.d/nginx + owner: root + group: root + mode: 0755 + when: ansible_facts['service_mgr'] == "sysvinit" + notify: "(Handler) Run NGINX" + + - name: Upload OpenRC NGINX service file + copy: + src: services/nginx.openrc + dest: /etc/init.d/nginx + owner: root + group: root + mode: 0755 + when: ansible_facts['service_mgr'] == "openrc" + + - name: Enable OpenRC NGINX service + command: rc-update add nginx default + when: ansible_facts['service_mgr'] == "openrc" + notify: (Handler) Run NGINX + when: + - not nginx_result.stat.exists | bool + - not ansible_check_mode | bool + +- name: Cleanup downloads + file: + path: "{{ item }}" + state: absent + loop: + - "{{ pcre_source.dest }}" + - "{{ zlib_source.dest }}" + - "{{ openssl_source.dest }}" + - "{{ nginx_source.dest }}" + when: item is defined diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/install-suse.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/install-suse.yml new file mode 100644 index 0000000..37e0e21 --- /dev/null +++ b/ansible/roles/nginxinc.nginx/tasks/opensource/install-suse.yml @@ -0,0 +1,14 @@ +--- +- name: (SLES) Configure NGINX repository + zypper_repository: + name: "nginx-{{ nginx_branch }}" + repo: "{{ nginx_repository | default(nginx_default_repository_suse) }}" + +- name: (SLES) Install NGINX + zypper: + name: "nginx{{ nginx_version | default('') }}" + state: "{{ nginx_state }}" + disable_recommends: no + update_cache: yes + ignore_errors: "{{ ansible_check_mode }}" + notify: (Handler) Run NGINX diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-alpine.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/setup-alpine.yml deleted file mode 100644 index f5aa5b9..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-alpine.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: "(Install: Alpine) Set Default APK NGINX Repository" - set_fact: - default_repository: >- - https://nginx.org/packages/{{ (nginx_branch == 'mainline') - | ternary('mainline/', '') }}alpine/v{{ ansible_distribution_version.split('.')[0] }}.{{ ansible_distribution_version.split('.')[1] }}/main - -- name: "(Install: Alpine) Set APK NGINX Repository" - set_fact: - repository: "{{ nginx_repository | default(default_repository) }}" - -- name: "(Install: Alpine) Add NGINX Repository" - lineinfile: - path: /etc/apk/repositories - insertafter: EOF - line: "{{ repository }}" - -- name: "(Install: Alpine) Install Required Alpine Dependencies" - apk: - name: - - openssl - - pcre - -- name: "(Install: Alpine) Install NGINX" - apk: - name: "nginx{{ nginx_version | default('') }}" - repository: "{{ repository }}" - state: "{{ nginx_state }}" - notify: "(Handler: All OSs) Start NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-debian.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/setup-debian.yml deleted file mode 100644 index a289956..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-debian.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: "(Install: Debian/Ubuntu) Set Default APT NGINX Repository" - set_fact: - default_repository: - - >- - deb [arch=amd64] https://nginx.org/packages/{{ (nginx_branch == 'mainline') - | ternary('mainline/', '') }}{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} nginx - - >- - deb-src [arch=amd64] https://nginx.org/packages/{{ (nginx_branch == 'mainline') - | ternary('mainline/', '') }}{{ ansible_distribution | lower }}/ {{ ansible_distribution_release }} nginx - -- name: "(Install: Debian/Ubuntu) Set APT NGINX Repository" - set_fact: - repository: "{{ nginx_repository | default(default_repository) }}" - -- name: "(Install: Debian/Ubuntu) Add NGINX Repository" - apt_repository: - repo: "{{ item }}" - with_items: - - "{{ repository }}" - -- name: "(Install: Debian/Ubuntu) Install NGINX" - apt: - name: "nginx{{ nginx_version | default('') }}" - state: "{{ nginx_state }}" - notify: "(Handler: All OSs) Start NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-redhat.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/setup-redhat.yml deleted file mode 100644 index 45b19b4..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-redhat.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: "(Install: CentOS/RedHat) Set Default YUM NGINX Repository" - set_fact: - default_repository: >- - https://nginx.org/packages/{{ (nginx_branch == 'mainline') - | ternary('mainline/', '') }}{{ (ansible_distribution == "RedHat") - | ternary('rhel', 'centos') }}/{{ ansible_distribution_major_version }}/$basearch/ - -- name: "(Install: CentOS/RedHat) Set YUM NGINX Repository" - set_fact: - repository: "{{ nginx_repository | default(default_repository) }}" - -- name: "(Install: CentOS/RedHat) Add NGINX Repository" - yum_repository: - name: nginx - baseurl: "{{ repository }}" - description: NGINX Repository - enabled: yes - gpgcheck: yes - -- name: "(Install: CentOS/RedHat) Install Required CentOS/RedHat Dependencies" - yum: - name: openssl - -- name: "(Install: CentOS/RedHat) Install NGINX" - yum: - name: "nginx{{ nginx_version | default('') }}" - state: "{{ nginx_state }}" - disablerepo: "*" - enablerepo: "nginx" - notify: "(Handler: All OSs) Start NGINX" diff --git a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-source.yml b/ansible/roles/nginxinc.nginx/tasks/opensource/setup-source.yml deleted file mode 100644 index f194daf..0000000 --- a/ansible/roles/nginxinc.nginx/tasks/opensource/setup-source.yml +++ /dev/null @@ -1,437 +0,0 @@ ---- -- name: "(Install: Linux) Check for build tools" - when: nginx_install_source_build_tools - block: - - - name: "(Install: Linux) Install Python - Centos/RHEL" - package: - name: - - python3 - - python3-pip - - python3-devel - state: present - when: ansible_os_family == "RedHat" - - - name: "(Install: Linux) Set Python3 default - Centos/RHEL" - alternatives: - name: python - path: /usr/bin/python3 - link: /usr/bin/python - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "8" - - - name: "(Install: Linux) Install Build Tools - Centos/RHEL" - package: - name: - - "@Development tools" - - gcc - - glibc - - glibc-common - - gd - - gd-devel - - perl-core - - wget - - ca-certificates - - zlib-devel - state: present - when: ansible_os_family == "RedHat" - - - name: "(Install: Linux) Install backports repo for Buster" - apt_repository: - repo: deb http://ftp.us.debian.org/debian buster-backports main - when: ansible_distribution_release == "buster" - - - name: "(Install: Linux) Install Build Tools - Debian/Ubuntu" - package: - name: - - python-minimal - - build-essential - - perl - - tar - - checkinstall - - zlib1g-dev - - libtemplate-perl - state: present - when: ansible_os_family == "Debian" - - - name: "(Install: Linux) Install Build Tools - Alpine" - package: - name: - - python - - alpine-sdk - - build-base - - git - - wget - - perl - - linux-headers - - tar - - openrc - state: present - when: ansible_os_family == "Alpine" - - - name: "(Install: Linux) Enable openrc - Alpine" - copy: - content: "" - dest: /run/openrc/softlevel - force: no - owner: root - mode: 0644 - when: ansible_os_family == "Alpine" - -- name: "(Install: Linux) Check for Source Installs" - block: - - - name: "(Install: Linux) Check for PCRE Install" - stat: - path: /tmp/{{ pcre_version }} - register: pcre_result - - - name: "(Install: Linux) Check for zlib Install" - stat: - path: /tmp/{{ zlib_version }} - register: zlib_result - - - name: "(Install: Linux) Check for openssl Install" - stat: - path: /tmp/{{ openssl_version }} - register: openssl_result - -- name: "(Install: Linux) Install PCRE Dependency: Package: Centos/RHEL" - when: nginx_install_source_pcre and ansible_os_family == "RedHat" - package: - name: pcre-devel - state: present - -- name: "(Install: Linux) Install PCRE Dependency: Package: Debian/Ubuntu" - when: nginx_install_source_pcre and ansible_os_family == "Debian" - package: - name: libpcre3–dev - state: present - -- name: "(Install: Linux) Install PCRE Dependency: Package: Alpine" - when: nginx_install_source_pcre and ansible_os_family == "Alpine" - package: - name: pcre-dev - state: present - -- name: "(Install: Linux) Install PCRE Dependency: Source" - when: not pcre_result.stat.exists and not nginx_install_source_pcre - block: - - - name: "(Install: Linux) Install PCRE Dependency: Download" - get_url: - url: "http://ftp.pcre.org/pub/pcre/{{ pcre_version }}.tar.gz" - dest: "/tmp/{{ pcre_version }}.tar.gz" - register: pcre_source - - - name: "(Install: Linux) Install PCRE Dependency: Unpack" - unarchive: - copy: no - dest: /tmp/ - src: "{{ pcre_source.dest }}" - register: pcre_source_unpack - - - name: "(Install: Linux) Install PCRE Dependency: Configure" - command: "./configure" - args: - chdir: "/tmp/{{ pcre_version }}" - register: pcre_configure - - - name: "(Install: Linux) Install PCRE Dependency: Install" - make: - chdir: "/tmp/{{ pcre_version }}" - - - name: "(Install: Linux) Install PCRE Dependency: Install" - make: - chdir: "/tmp/{{ pcre_version }}" - target: install - -- name: "(Install: Linux) Install zlib Dependency: Package: Centos/RHEL" - when: nginx_install_source_zlib and ansible_os_family == "RedHat" - package: - name: zlib-devel - state: present - -- name: "(Install: Linux) Install zlib Dependency: Package: Debian/Ubuntu" - when: nginx_install_source_zlib and ansible_os_family == "Debian" - package: - name: zlib1g-dev - state: present - -- name: "(Install: Linux) Install zlib Dependency: Package: Alpine" - when: nginx_install_source_zlib and ansible_os_family == "Alpine" - package: - name: zlib-dev - state: present - -- name: "(Install: Linux) Install zlib Dependency: Source" - when: not zlib_result.stat.exists and not nginx_install_source_zlib - block: - - - name: "(Install: Linux) Install zlib Dependency: Download" - get_url: - url: "http://zlib.net/{{ zlib_version }}.tar.gz" - dest: "/tmp/{{ zlib_version }}.tar.gz" - register: zlib_source - - - name: "(Install: Linux) Install zlib Dependency: Unpack" - unarchive: - copy: no - dest: /tmp/ - src: "{{ zlib_source.dest }}" - register: zlib_source_unpack - - - name: "(Install: Linux) Install zlib Dependency: Configure" - command: "./configure" - args: - chdir: "/tmp/{{ zlib_version }}" - register: zlib_configure - - - name: "(Install: Linux) Install zlib Dependency: Install" - make: - chdir: "/tmp/{{ zlib_version }}" - - - name: "(Install: Linux) Install zlib Dependency: Install" - make: - chdir: "/tmp/{{ zlib_version }}" - target: install - -- name: "(Install: Linux) Install OpenSSL Dependency: Package: Centos/RHEL" - when: nginx_install_source_openssl and ansible_os_family == "RedHat" - package: - name: openssl-devel - state: present - -- name: "(Install: Linux) Install OpenSSL Dependency: Package: Debian/Ubuntu" - when: nginx_install_source_openssl and ansible_os_family == "Debian" - package: - name: libssl-dev - state: present - -- name: "(Install: Linux) Install OpenSSL Dependency: Package: Alpine" - when: nginx_install_source_openssl and ansible_os_family == "Alpine" - package: - name: openssl-dev - state: present - -- name: "(Install: Linux) Install OpenSSL Dependency: Source" - when: not openssl_result.stat.exists and not nginx_install_source_openssl - block: - - - name: "(Install: Linux) Install OpenSSL Dependency: Download" - get_url: - url: "http://www.openssl.org/source/{{ openssl_version }}.tar.gz" - dest: "/tmp/{{ openssl_version }}.tar.gz" - register: openssl_source - - - name: "(Install: Linux) Install OpenSSL Dependency: Unpack" - unarchive: - copy: no - dest: /tmp/ - src: "{{ openssl_source.dest }}" - register: openssl_source_unpack - - - name: "(Install: Linux) Install OpenSSL Dependency: Configure" - command: "./config --prefix=/usr" - args: - chdir: "/tmp/{{ openssl_version }}" - register: openssl_configure - - - name: "(Install: Linux) Install OpenSSL Dependency: Make" - make: - chdir: "/tmp/{{ openssl_version }}" - - - name: "(Install: Linux) Install OpenSSL Dependency: Install" - make: - chdir: "/tmp/{{ openssl_version }}" - target: install - -- name: "(Install: Linux) Install NGINX: Get NGINX version" - block: - - - name: "(Install: Linux) Install NGINX: Get NGINX mainline version" - shell: - args: - cmd: curl --stderr - https://trac.nginx.org/nginx/browser | grep release | head -1 | sed -e 's:.*