Merge branch 'webhostname_whitelist' into 'master'

♻️: refactor allowlist See merge request dojo/ansible_dojo!5
2024-11-04 16:49:40 +00:00
parent 92cbac9568 95f38ef6f7
commit de98e260d8
19 changed files with 95 additions and 70 deletions
--- a/inventory/host_vars/bt.dmz.mateu.be.yml
+++ b/inventory/host_vars/bt.dmz.mateu.be.yml
@@ -1,9 +1,20 @@
 ---
 web_hostname:
-  - sonarr.mateu.be
+  - host: sonarr.mateu.be
-  - jackett.mateu.be
+  - host: jackett.mateu.be
-  - bt.mateu.be
+  - host: bt.mateu.be
-  - btf.mateu.be
+  - host: btf.mateu.be
    allowlistv4:
      - 88.175.123.77/32
    allowlistv6:
      - 2a01:e0a:9bd:2811::/64
      - 2a01:e0a:9bd:2810::/64
      - 2a01:e0a:fc:ebc0::/64
      - 2a01:cb00:8a0a:b700::/64
      - 2a01:e0a:d19:ef90::/64
      - 2001:910:13c8::/48
      - 2a01:e0a:bde:d350::/64
      - 2a01:cb00:f55:2d00::/64
 nginx_extra_mods:
  - fancyindex
--- a/inventory/host_vars/garage1.dmz.mateu.be.yml
+++ b/inventory/host_vars/garage1.dmz.mateu.be.yml
@@ -1,15 +1,15 @@
 ---
 web_hostname:
-  - garage.mateu.be
+  - host: garage.mateu.be
-  - mastodon-ndfr.garage.mateu.be
+  - host: mastodon-ndfr.garage.mateu.be
-  - medias.m.nintendojo.fr
+  - host: medias.m.nintendojo.fr
-  - nextcloud-libertus.garage.mateu.be
+  - host: nextcloud-libertus.garage.mateu.be
-  - peertube-videos-ndfr.garage.mateu.be
+  - host: peertube-videos-ndfr.garage.mateu.be
-  - videos.p.nintendojo.fr
+  - host: videos.p.nintendojo.fr
-  - peertube-playlists-ndfr.garage.mateu.be
+  - host: peertube-playlists-ndfr.garage.mateu.be
-  - playlists.p.nintendojo.fr
+  - host: playlists.p.nintendojo.fr
-  - peertube-original-ndfr.garage.mateu.be
+  - host: peertube-original-ndfr.garage.mateu.be
-  - original.p.nintendojo.fr
+  - host: original.p.nintendojo.fr
 restic_backup_path:
  - /etc
--- a/inventory/host_vars/jabber.dmz.mateu.be.yml
+++ b/inventory/host_vars/jabber.dmz.mateu.be.yml
@@ -1,8 +1,8 @@
 ---
 web_hostname:
-  - libertus.eu
+  - host: libertus.eu
-  - upload.libertus.eu
+  - host: upload.libertus.eu
-  - xmpp.libertus.eu
+  - host: xmpp.libertus.eu
 restic_backup_path:
  - /etc
--- a/inventory/host_vars/mail.dmz.mateu.be.yml
+++ b/inventory/host_vars/mail.dmz.mateu.be.yml
@@ -1,7 +1,7 @@
 ---
 web_hostname:
-  - imap.libertus.eu
+  - host: imap.libertus.eu
-  - smtp.libertus.eu
+  - host: smtp.libertus.eu
 restic_backup_path:
  - /home
--- a/inventory/host_vars/masto1.dmz.mateu.be.yml
+++ b/inventory/host_vars/masto1.dmz.mateu.be.yml
@@ -1,6 +1,6 @@
 ---
 web_hostname:
-  - m.nintendojo.fr
+  - host: m.nintendojo.fr
 restic_backup_path:
  - /srv
--- a/inventory/host_vars/munin.dmz.mateu.be.yml
+++ b/inventory/host_vars/munin.dmz.mateu.be.yml
@@ -1,6 +1,6 @@
 ---
 web_hostname:
-  - munin.mateu.be
+  - host: munin.mateu.be
 mikrotik_unitary_scripts:
  - mikrotikcpu_
--- a/inventory/host_vars/pt1.dmz.mateu.be.yml
+++ b/inventory/host_vars/pt1.dmz.mateu.be.yml
@@ -1,3 +1,3 @@
 ---
 web_hostname:
-  - p.nintendojo.fr
+  - host: p.nintendojo.fr
--- a/inventory/host_vars/voice3.dmz.mateu.be.yml
+++ b/inventory/host_vars/voice3.dmz.mateu.be.yml
@@ -1,3 +1,3 @@
 ---
 web_hostname:
-  - radio.nintendojo.fr
+  - host: radio.nintendojo.fr
--- a/inventory/host_vars/web1.dmz.mateu.be.yml
+++ b/inventory/host_vars/web1.dmz.mateu.be.yml
@@ -3,14 +3,14 @@ php_modules: ['opcache', 'pgsql', 'mbstring', 'gd', 'intl', 'curl', 'gettext', '
 php_memory_limit: "512M"
 web_hostname:
-  - fav.libertus.eu
+  - host: fav.libertus.eu
-  - rss.libertus.eu
+  - host: rss.libertus.eu
-  - o.libertus.eu
+  - host: o.libertus.eu
-  - blog.libertus.eu
+  - host: blog.libertus.eu
-  - mail.libertus.eu
+  - host: mail.libertus.eu
-  - perso.nintendojo.fr
+  - host: perso.nintendojo.fr
-  - perso.libertus.eu
+  - host: perso.libertus.eu
-  - r.mateu.be
+  - host: r.mateu.be
 mariadb_root_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
--- a/inventory/host_vars/web2.dmz.mateu.be.yml
+++ b/inventory/host_vars/web2.dmz.mateu.be.yml
@@ -2,13 +2,13 @@
 php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
 web_hostname:
-  - nintendojo.fr
+  - host: nintendojo.fr
-  - www.nintendojo.fr
+  - host: www.nintendojo.fr
-  - wwwdev.nintendojo.fr
+  - host: wwwdev.nintendojo.fr
-  - forum.nintendojo.fr
+  - host: forum.nintendojo.fr
-  - nintendojofr.com
+  - host: nintendojofr.com
-  - www.nintendojofr.com
+  - host: www.nintendojofr.com
-  - forum.nintendojofr.com
+  - host: forum.nintendojofr.com
 mariadb_root_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
--- a/inventory/host_vars/web3.dmz.mateu.be.yml
+++ b/inventory/host_vars/web3.dmz.mateu.be.yml
@@ -2,8 +2,8 @@
 php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
 web_hostname:
-  - sebicomics.com
+  - host: sebicomics.com
-  - www.sebicomics.com
+  - host: www.sebicomics.com
 mariadb_root_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
--- a/playbooks/webservers.yml
+++ b/playbooks/webservers.yml
@@ -1,5 +1,12 @@
 ---
 - name: Retrieve network info
  hosts: loadbalancers
  gather_facts: true
  gather_subset:
    - network
  tasks: []
 - name: Deploy web servers
  hosts: webservers
  diff: true
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -42,10 +42,10 @@ frontend http
 	acl letsencrypt path_beg /.well-known/acme-challenge
 	redirect scheme https code 301 if !letsencrypt
 {% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
-{% for hostname in hostvars[server]['web_hostname'] | sort %}
+{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
-	## {{ hostname }} configuration
+	## {{ hostname.host }} configuration
-	acl host_{{ hostname }} hdr(host) -i {{ hostname }}
+	acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }}
-	use_backend http_{{ server }} if letsencrypt host_{{ hostname }}
+	use_backend http_{{ server }} if letsencrypt host_{{ hostname.host }}
 {% endfor %}
 {% endfor %}
@@ -57,13 +57,14 @@ frontend https
 	tcp-request inspect-delay 3s
 	tcp-request content accept if { req.ssl_hello_type 1 }
 {% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
-{% for hostname in hostvars[server]['web_hostname'] | sort %}
+{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
-	## {{ hostname }} configuration
+	## {{ hostname.host }} configuration
-	acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
+	acl host_{{ hostname.host }} req.ssl_sni -i {{ hostname.host }}
-{% if hostname == "btf.mateu.be" %}
+{% if hostname.allowlistv4 is defined %}
-	acl network_allowed_{{ hostname }} src 88.175.123.77
+	acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %}
 {% endif %}
-	use_backend https_{{ server }} if host_{{ hostname }}{% if hostname == "btf.mateu.be" %} network_allowed_{{ hostname }}{% endif %}
+	use_backend https_{{ server }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}
 {% endfor %}
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@@ -2,8 +2,8 @@
 - name: Symlink vhosts
  ansible.builtin.file:
-    src: "/etc/nginx/sites-available/{{ item }}.conf"
+    src: "/etc/nginx/sites-available/{{ item.host }}.conf"
-    dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.host }}.conf"
    force: true
    follow: false
    state: link
@@ -13,8 +13,8 @@
 - name: Install vhosts
  ansible.builtin.template:
-    src: "vhosts/{{ item }}.conf.j2"
+    src: "vhosts/{{ item.host }}.conf.j2"
-    dest: "/etc/nginx/sites-available/{{ item }}.conf"
+    dest: "/etc/nginx/sites-available/{{ item.host }}.conf"
    mode: "0o644"
  notify:
    - Restart nginx
--- a/roles/nginx/templates/header.conf.j2
+++ b/roles/nginx/templates/header.conf.j2
@@ -1,10 +1,21 @@
 	listen *:443 ssl http2;
 	listen [::]:443 ssl http2;
-	ssl_certificate /etc/x509/{{ item }}/fullchain.cer;
+	ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
-	ssl_certificate_key /etc/x509/{{ item }}/{{ item }}.key;
+	ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
-	server_name {{ item }};
+	server_name {{ item.host }};
-	access_log /var/log/nginx/{{ item }}.access.log combined;
+	access_log /var/log/nginx/{{ item.host }}.access.log combined;
 	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/{{ item }}.error.log;
+	error_log /var/log/nginx/{{ item.host }}.error.log;
 	error_log syslog:server=unix:/dev/log;
 {% if item.allowlistv4 is defined %}
 	allow {{ hostvars['haproxy.dmz.mateu.be'].ansible_default_ipv4.address }};
 {% endif %}
 {% if item.allowlistv6 is defined %}
 {% for addrv6 in item.allowlistv6 %}
 	allow {{ addrv6 }};
 {% endfor %}
 {% endif %}
 {% if item.allowlistv4 is defined or item.allowlistv6 is defined %}
 	deny all;
 {% endif %}
--- a/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2
+++ b/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2
@@ -1,4 +1,3 @@
 {% set allowed_ips=['10.233.212.2/32','10.233.212.64/27', '2a01:e0a:9bd:2811::/64', '2a01:e0a:9bd:2810::/64', '2a01:e0a:fc:ebc0::/64', '2a01:cb00:8a0a:b700::/64', '2a01:e0a:d19:ef90::/64', '2001:910:13c8::/48', '2a01:e0a:bde:d350::/64', '2a01:cb00:f55:2d00::/64'] -%}
 server {
 {% include './templates/header.conf.j2' %}
@@ -6,10 +5,6 @@ server {
 		root /net/;
 		fancyindex on;
 		fancyindex_exact_size off;
 		{% for allowed_ip in allowed_ips -%}
 		allow {{ allowed_ip }};
 		{% endfor -%}
 		deny all;
 	}
 }
--- a/roles/nginx/templates/vhosts/garage.mateu.be.conf.j2
+++ b/roles/nginx/templates/vhosts/garage.mateu.be.conf.j2
@@ -2,7 +2,7 @@ server {
 {% include './templates/header.conf.j2' %}
 	location / {
-		proxy_pass http://s3_backend_{{ item.split('.')|join('_') }};
+		proxy_pass http://s3_backend_{{ item.host.split('.')|join('_') }};
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header Host $host;
 		# Disable buffering to a temporary file.
@@ -10,7 +10,7 @@ server {
 	}
 }
-upstream s3_backend_{{ item.split('.')|join('_') }} {
+upstream s3_backend_{{ item.host.split('.')|join('_') }} {
 	# If you have a garage instance locally.
 	server [::1]:3900;
 }
--- a/roles/nginx/templates/vhosts/web.garage.mateu.be.conf.j2
+++ b/roles/nginx/templates/vhosts/web.garage.mateu.be.conf.j2
@@ -2,13 +2,13 @@ server {
 {% include './templates/header.conf.j2' %}
 	location / {
-		proxy_pass http://web_backend_{{ item.split('.')|join('_') }};
+		proxy_pass http://web_backend_{{ item.host.split('.')|join('_') }};
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header Host $host;
 	}
 }
-upstream web_backend_{{ item.split('.')|join('_') }} {
+upstream web_backend_{{ item.host.split('.')|join('_') }} {
 	# If you have a garage instance locally.
 	server [::1]:3902;
 }
--- a/roles/nsd/tasks/zones.yml
+++ b/roles/nsd/tasks/zones.yml
@@ -11,8 +11,8 @@
    dns_serial: "{{ ansible_date_time.epoch }}"
    web_hostname_block: |-
      {% for webserver in groups['webservers'] | sort -%}
-      {% for web_hostname in (hostvars[webserver]['web_hostname'] | select('match', '.+' ~ item.name) | sort) -%}
+      {% for web_hostname in (hostvars[webserver]['web_hostname'] | selectattr('host', 'match', '.+' ~ item.name) | sort(attribute='host')) -%}
-      {{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }}		IN CNAME {{ webserver }}.
+      {{ web_hostname.host | regex_replace('\.' ~ item.name ~ '$', '') }}		IN CNAME {{ webserver }}.
      {% endfor %}
      {% endfor %}