From 3bcc357509ae1738c5440258f8f35080c4de53d7 Mon Sep 17 00:00:00 2001 From: Patrick Marchand Date: Mon, 29 Oct 2018 16:53:46 -0400 Subject: [PATCH] Make ip whitelist tasks more flexible Now the list of whitelisted ip addresses can be updated simply by including the specific tasks in an external playbook without polluting our role list. This change takes effect for nginx, apache and fail2ban. --- apache/tasks/auth.yml | 11 +++-------- apache/tasks/ip_whitelist.yml | 10 ++++++++++ fail2ban/tasks/ip_whitelist.yml | 10 ++++++++++ fail2ban/tasks/main.yml | 9 ++------- nginx/tasks/ip_whitelist.yml | 10 ++++++++++ nginx/tasks/main_regular.yml | 11 +++-------- 6 files changed, 38 insertions(+), 23 deletions(-) create mode 100644 apache/tasks/ip_whitelist.yml create mode 100644 fail2ban/tasks/ip_whitelist.yml create mode 100644 nginx/tasks/ip_whitelist.yml diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml index 03598682..f024f9cb 100644 --- a/apache/tasks/auth.yml +++ b/apache/tasks/auth.yml @@ -10,14 +10,9 @@ force: no tags: - apache - -- name: add IP addresses to private IP whitelist - lineinfile: - dest: /etc/apache2/ipaddr_whitelist.conf - line: "Require ip {{ item }}" - state: present - with_items: "{{ apache_ipaddr_whitelist_present }}" - notify: reload apache + +- name: Load IP whitelist task + include: ip_whitelist.yml tags: - apache diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml new file mode 100644 index 00000000..c6dd0cc9 --- /dev/null +++ b/apache/tasks/ip_whitelist.yml @@ -0,0 +1,10 @@ +--- +- name: add IP addresses to private IP whitelist + lineinfile: + dest: /etc/apache2/ipaddr_whitelist.conf + line: "Require ip {{ item }}" + state: present + with_items: "{{ apache_ipaddr_whitelist_present }}" + notify: reload apache + tags: + - apache \ No newline at end of file diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml new file mode 100644 index 00000000..3bdd05f3 --- /dev/null +++ b/fail2ban/tasks/ip_whitelist.yml @@ -0,0 +1,10 @@ +--- +- name: Update ignoreips lists + ini_file: + dest: /etc/fail2ban/jail.local + section: "[DEFAULT]" + option: "ignoreips" + value: "{{ fail2ban_ignore_ips | join(' ') }}" + notify: restart fail2ban + tags: + - fail2ban diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index db6af2d4..f8b20694 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -28,13 +28,8 @@ tags: - fail2ban -- name: update ignoreips lists - ini_file: - dest: /etc/fail2ban/jail.local - section: "[DEFAULT]" - option: "ignoreips" - value: "{{ fail2ban_ignore_ips | join(' ') }}" - notify: restart fail2ban +- name: Include ignoredips update task + include: ip_whitelist.yml when: fail2ban_force_update_ignore_ips tags: - fail2ban diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml new file mode 100644 index 00000000..3b443f65 --- /dev/null +++ b/nginx/tasks/ip_whitelist.yml @@ -0,0 +1,10 @@ +--- +- name: add IP addresses to private IP whitelist + lineinfile: + dest: /etc/nginx/snippets/ipaddr_whitelist + line: "allow {{ item }};" + state: present + with_items: "{{ nginx_ipaddr_whitelist_present }}" + notify: reload nginx + tags + - nginx diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml index 559bc5d1..c84949fe 100644 --- a/nginx/tasks/main_regular.yml +++ b/nginx/tasks/main_regular.yml @@ -49,14 +49,9 @@ notify: reload nginx tags: - nginx - -- name: add IP addresses to private IP whitelist - lineinfile: - dest: /etc/nginx/snippets/ipaddr_whitelist - line: "allow {{ item }};" - state: present - with_items: "{{ nginx_ipaddr_whitelist_present }}" - notify: reload nginx + +- name: Include IP address whitelist task + include: ip_whitelist.yml tags: - nginx