From b776fc3da297c12c18a9b45369bc49f12dd66380 Mon Sep 17 00:00:00 2001
From: Patrick Marchand <pmarchand+git@evolix.ca>
Date: Mon, 29 Oct 2018 16:53:46 -0400
Subject: [PATCH] Make ip whitelist tasks more flexible

Now the list of whitelisted ip addresses can be updated simply by
including the specific tasks in an external playbook without polluting
our role list.

This change takes effect for nginx, apache and fail2ban.
---
 apache/tasks/auth.yml           | 11 +++--------
 apache/tasks/ip_whitelist.yml   | 10 ++++++++++
 fail2ban/tasks/ip_whitelist.yml | 10 ++++++++++
 fail2ban/tasks/main.yml         |  9 ++-------
 nginx/tasks/ip_whitelist.yml    | 10 ++++++++++
 nginx/tasks/main_regular.yml    | 11 +++--------
 6 files changed, 38 insertions(+), 23 deletions(-)
 create mode 100644 apache/tasks/ip_whitelist.yml
 create mode 100644 fail2ban/tasks/ip_whitelist.yml
 create mode 100644 nginx/tasks/ip_whitelist.yml

diff --git a/apache/tasks/auth.yml b/apache/tasks/auth.yml
index 03598682..f024f9cb 100644
--- a/apache/tasks/auth.yml
+++ b/apache/tasks/auth.yml
@@ -10,14 +10,9 @@
     force: no
   tags:
     - apache
-
-- name: add IP addresses to private IP whitelist
-  lineinfile:
-    dest: /etc/apache2/ipaddr_whitelist.conf
-    line: "Require ip {{ item }}"
-    state: present
-  with_items: "{{ apache_ipaddr_whitelist_present }}"
-  notify: reload apache
+    
+- name: Load IP whitelist task
+  include: ip_whitelist.yml
   tags:
     - apache
 
diff --git a/apache/tasks/ip_whitelist.yml b/apache/tasks/ip_whitelist.yml
new file mode 100644
index 00000000..c6dd0cc9
--- /dev/null
+++ b/apache/tasks/ip_whitelist.yml
@@ -0,0 +1,10 @@
+---
+- name: add IP addresses to private IP whitelist
+  lineinfile:
+    dest: /etc/apache2/ipaddr_whitelist.conf
+    line: "Require ip {{ item }}"
+    state: present
+  with_items: "{{ apache_ipaddr_whitelist_present }}"
+  notify: reload apache
+  tags:
+    - apache
\ No newline at end of file
diff --git a/fail2ban/tasks/ip_whitelist.yml b/fail2ban/tasks/ip_whitelist.yml
new file mode 100644
index 00000000..3bdd05f3
--- /dev/null
+++ b/fail2ban/tasks/ip_whitelist.yml
@@ -0,0 +1,10 @@
+---
+- name: Update ignoreips lists
+  ini_file:
+    dest: /etc/fail2ban/jail.local
+    section: "[DEFAULT]"
+    option: "ignoreips"
+    value: "{{ fail2ban_ignore_ips | join(' ') }}"
+  notify: restart fail2ban
+  tags:
+    - fail2ban
diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index db6af2d4..f8b20694 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -28,13 +28,8 @@
   tags:
   - fail2ban
 
-- name: update ignoreips lists
-  ini_file:
-    dest: /etc/fail2ban/jail.local
-    section: "[DEFAULT]"
-    option: "ignoreips"
-    value: "{{ fail2ban_ignore_ips | join(' ') }}"
-  notify: restart fail2ban
+- name: Include ignoredips update task 
+  include: ip_whitelist.yml
   when: fail2ban_force_update_ignore_ips
   tags:
     - fail2ban
diff --git a/nginx/tasks/ip_whitelist.yml b/nginx/tasks/ip_whitelist.yml
new file mode 100644
index 00000000..3b443f65
--- /dev/null
+++ b/nginx/tasks/ip_whitelist.yml
@@ -0,0 +1,10 @@
+---
+- name: add IP addresses to private IP whitelist
+  lineinfile:
+    dest: /etc/nginx/snippets/ipaddr_whitelist
+    line: "allow {{ item }};"
+    state: present
+  with_items: "{{ nginx_ipaddr_whitelist_present }}"
+  notify: reload nginx
+  tags
+    - nginx
diff --git a/nginx/tasks/main_regular.yml b/nginx/tasks/main_regular.yml
index 3168529a..5aff5ae4 100644
--- a/nginx/tasks/main_regular.yml
+++ b/nginx/tasks/main_regular.yml
@@ -50,14 +50,9 @@
   tags:
     - nginx
     - ips
-
-- name: add IP addresses to private IP whitelist
-  lineinfile:
-    dest: /etc/nginx/snippets/ipaddr_whitelist
-    line: "allow {{ item }};"
-    state: present
-  with_items: "{{ nginx_ipaddr_whitelist_present }}"
-  notify: reload nginx
+    
+- name: Include IP address whitelist task
+  include: ip_whitelist.yml
   tags:
     - nginx
     - ips