Make ip whitelist tasks more flexible

Now the list of whitelisted ip addresses can be updated simply by
including the specific tasks in an external playbook without polluting
our role list.

This change takes effect for nginx, apache and fail2ban.
This commit is contained in:
Patrick Marchand 2018-10-29 16:53:46 -04:00
parent 588efc941e
commit 3bcc357509
6 changed files with 38 additions and 23 deletions

View File

@ -10,14 +10,9 @@
force: no
tags:
- apache
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
with_items: "{{ apache_ipaddr_whitelist_present }}"
notify: reload apache
- name: Load IP whitelist task
include: ip_whitelist.yml
tags:
- apache

View File

@ -0,0 +1,10 @@
---
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/apache2/ipaddr_whitelist.conf
line: "Require ip {{ item }}"
state: present
with_items: "{{ apache_ipaddr_whitelist_present }}"
notify: reload apache
tags:
- apache

View File

@ -0,0 +1,10 @@
---
- name: Update ignoreips lists
ini_file:
dest: /etc/fail2ban/jail.local
section: "[DEFAULT]"
option: "ignoreips"
value: "{{ fail2ban_ignore_ips | join(' ') }}"
notify: restart fail2ban
tags:
- fail2ban

View File

@ -28,13 +28,8 @@
tags:
- fail2ban
- name: update ignoreips lists
ini_file:
dest: /etc/fail2ban/jail.local
section: "[DEFAULT]"
option: "ignoreips"
value: "{{ fail2ban_ignore_ips | join(' ') }}"
notify: restart fail2ban
- name: Include ignoredips update task
include: ip_whitelist.yml
when: fail2ban_force_update_ignore_ips
tags:
- fail2ban

View File

@ -0,0 +1,10 @@
---
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/ipaddr_whitelist
line: "allow {{ item }};"
state: present
with_items: "{{ nginx_ipaddr_whitelist_present }}"
notify: reload nginx
tags
- nginx

View File

@ -49,14 +49,9 @@
notify: reload nginx
tags:
- nginx
- name: add IP addresses to private IP whitelist
lineinfile:
dest: /etc/nginx/snippets/ipaddr_whitelist
line: "allow {{ item }};"
state: present
with_items: "{{ nginx_ipaddr_whitelist_present }}"
notify: reload nginx
- name: Include IP address whitelist task
include: ip_whitelist.yml
tags:
- nginx