From 8ef9554746ba8a91075bbe55f9091e5a0d185b82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Wed, 15 Nov 2017 23:29:25 +0100
Subject: [PATCH] Combine evolix and additional trusted IP addresses

---
 apache/defaults/main.yml         | 5 ++++-
 evolinux-base/defaults/main.yml  | 5 ++++-
 evomaintenance/defaults/main.yml | 5 ++++-
 fail2ban/defaults/main.yml       | 7 ++++++-
 minifirewall/defaults/main.yml   | 7 ++++++-
 nagios-nrpe/defaults/main.yml    | 5 ++++-
 nginx/defaults/main.yml          | 5 ++++-
 7 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/apache/defaults/main.yml b/apache/defaults/main.yml
index 390adb43..b21e1d59 100644
--- a/apache/defaults/main.yml
+++ b/apache/defaults/main.yml
@@ -1,5 +1,8 @@
 ---
-apache_ipaddr_whitelist_present: []
+evolix_trusted_ips: []
+additional_trusted_ips: []
+# Let's merge evolix_trusted_ips with additional_trusted_ips
+apache_ipaddr_whitelist_present: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
 apache_ipaddr_whitelist_absent: []
 
 apache_private_htpasswd_present: []
diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml
index 6f2961a7..54e5d85c 100644
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@@ -108,7 +108,10 @@ evolinux_evomaintenance_include: True
 
 evolinux_ssh_include: True
 
-evolinux_ssh_password_auth_addresses: []
+evolix_trusted_ips: []
+additional_trusted_ips: []
+# Let's merge evolix_trusted_ips with additional_trusted_ips
+evolinux_ssh_password_auth_addresses: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
 evolinux_ssh_match_address: True
 evolinux_ssh_disable_acceptenv: True
 evolinux_ssh_allow_current_user: False
diff --git a/evomaintenance/defaults/main.yml b/evomaintenance/defaults/main.yml
index fc584481..2d0bf1b6 100644
--- a/evomaintenance/defaults/main.yml
+++ b/evomaintenance/defaults/main.yml
@@ -17,4 +17,7 @@ evomaintenance_urgency_tel: "06.00.00.00.00"
 
 evomaintenance_realm: "{{ ansible_domain }}"
 
-evomaintenance_hosts: []
+evolix_trusted_ips: []
+additional_trusted_ips: []
+# Let's merge evolix_trusted_ips with additional_trusted_ips
+evomaintenance_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml
index d0716d95..73cd46cb 100644
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@@ -1,6 +1,11 @@
 ---
 general_alert_email: "root@localhost"
 fail2ban_alert_email: Null
-fail2ban_ignore_ips: []
+
+evolix_trusted_ips: []
+additional_trusted_ips: []
+# Let's merge evolix_trusted_ips with additional_trusted_ips
+fail2ban_ignore_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
+
 fail2ban_wordpress: False
 fail2ban_roundcube: False
diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml
index 02828d66..4c8498cf 100644
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@@ -6,7 +6,12 @@ minifirewall_checkout_path: "/tmp/minifirewall"
 minifirewall_int: "{{ ansible_default_ipv4.interface }}"
 minifirewall_ipv6: "on"
 minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
-minifirewall_trusted_ips: ["0.0.0.0/0"]
+
+evolix_trusted_ips: []
+additional_trusted_ips: []
+# Let's merge evolix_trusted_ips with additional_trusted_ips
+# and default to ['0.0.0.0/0'] if the result is still empty
+minifirewall_trusted_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique | default(['0.0.0.0/0'], true) }}"
 minifirewall_privilegied_ips: []
 
 minifirewall_protected_ports_tcp: [22]
diff --git a/nagios-nrpe/defaults/main.yml b/nagios-nrpe/defaults/main.yml
index c9ee2603..96c3ddd3 100644
--- a/nagios-nrpe/defaults/main.yml
+++ b/nagios-nrpe/defaults/main.yml
@@ -1,5 +1,8 @@
 ---
-nagios_nrpe_allowed_hosts: []
+evolix_trusted_ips: []
+additional_trusted_ips: []
+# Let's merge evolix_trusted_ips with additional_trusted_ips
+nagios_nrpe_allowed_hosts: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
 nagios_nrpe_ldap_dc: "dc=DOMAIN,dc=EXT"
 nagios_nrpe_ldap_passwd: LDAP_PASSWD
 nagios_nrpe_pgsql_passwd: PGSQL_PASSWD
diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml
index dd6e58d7..38dcbb89 100644
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@@ -3,7 +3,10 @@
 nginx_minimal: False
 nginx_jessie_backports: False
 
-nginx_ipaddr_whitelist_present: []
+evolix_trusted_ips: []
+additional_trusted_ips: []
+# Let's merge evolix_trusted_ips with additional_trusted_ips
+nginx_ipaddr_whitelist_present: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique }}"
 nginx_ipaddr_whitelist_absent: []
 
 nginx_private_htpasswd_present: []