Apache/Nginx: use ipaddr_whitelist

apache/README.md

@@ -10,8 +10,8 @@ Everything is in the `tasks/main.yml` file for now.
 
 Main variables are :
 
-* `apache_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
+* `apache_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
-* `apache_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
+* `apache_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist;
 * `apache_private_htpasswd_present` : list of users to have in the private htpasswd ;
 * `apache_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
 * `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).

apache/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
-apache_private_ipaddr_whitelist_present: []
+apache_ipaddr_whitelist_present: []
-apache_private_ipaddr_whitelist_absent: []
+apache_ipaddr_whitelist_absent: []
 
 apache_private_htpasswd_present: []
 apache_private_htpasswd_absent: []

apache/tasks/auth.yml

@@ -1,8 +1,14 @@
 ---
 
+- name: "Rename private_ipaddr_whitelist if present"
+  command: "mv /etc/apache2/private_ipaddr_whitelist.conf /etc/apache2/ipaddr_whitelist.conf"
+  args:
+    removes: /etc/apache2/private_ipaddr_whitelist.conf
+    creates: /etc/apache2/ipaddr_whitelist.conf
+
 - name: Init ipaddr_whitelist.conf file
   copy:
-    src: private_ipaddr_whitelist.conf
+    src: ipaddr_whitelist.conf
     dest: /etc/apache2/ipaddr_whitelist.conf
     owner: root
     group: root
@@ -16,7 +22,7 @@
     dest: /etc/apache2/ipaddr_whitelist.conf
     line: "Require ip {{ item }}"
     state: present
-  with_items: "{{ apache_private_ipaddr_whitelist_present }}"
+  with_items: "{{ apache_ipaddr_whitelist_present }}"
   notify: reload apache
   tags:
   - apache
@@ -26,7 +32,7 @@
     dest: /etc/apache2/ipaddr_whitelist.conf
     line: "Require ip {{ item }}"
     state: absent
-  with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
+  with_items: "{{ apache_ipaddr_whitelist_absent }}"
   notify: reload apache
   tags:
   - apache

kibana/templates/nginx_proxy_kibana_nossl.j2

@@ -9,7 +9,7 @@ server {
   server_name {{ kibana_proxy_domain }};
 
   # Auth.
-  include /etc/nginx/snippets/private_ipaddr_whitelist;
+  include /etc/nginx/snippets/ipaddr_whitelist;
   deny all;
   auth_basic "Reserved {{ kibana_proxy_domain }}";
   auth_basic_user_file /etc/nginx/snippets/private_htpasswd;

kibana/templates/nginx_proxy_kibana_ssl.j2

@@ -19,7 +19,7 @@ server {
   ssl_certificate_key {{ kibana_proxy_ssl_key }};
 
   # Auth.
-  include /etc/nginx/snippets/private_ipaddr_whitelist;
+  include /etc/nginx/snippets/ipaddr_whitelist;
   deny all;
   auth_basic "Reserved {{ kibana_proxy_domain }}";
   auth_basic_user_file /etc/nginx/snippets/private_htpasswd;

nginx/README.md

@@ -18,8 +18,8 @@ Main variables are :
 
 * `nginx_minimal` : very basic install and config (default: `False`) ;
 * `nginx_jessie_backports` : on Debian Jessie, we can prefer v1.10 from backports (default: `False`) ;
-* `nginx_private_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
+* `nginx_ipaddr_whitelist_present` : list of IP addresses to have in the private whitelist ;
-* `nginx_private_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ;
+* `nginx_ipaddr_whitelist_absent` : list of IP addresses **not** to have in the whitelist ;
 * `nginx_private_htpasswd_present` : list of users to have in the private htpasswd ;
 * `nginx_private_htpasswd_absent` : list of users to **not** have in the private htpasswd.
 

nginx/defaults/main.yml

@@ -3,8 +3,8 @@
 nginx_minimal: False
 nginx_jessie_backports: False
 
-nginx_private_ipaddr_whitelist_present: []
+nginx_ipaddr_whitelist_present: []
-nginx_private_ipaddr_whitelist_absent: []
+nginx_ipaddr_whitelist_absent: []
 
 nginx_private_htpasswd_present: []
 nginx_private_htpasswd_absent: []

nginx/tasks/main_regular.yml

@@ -38,13 +38,20 @@
   - nginx
 
 # TODO: verify that those permissions are correct :
-# not too strict for private_ipaddr_whitelist
+# not too strict for ipaddr_whitelist
 # and not too loose for private_htpasswd
 
-- name: Copy private_ipaddr_whitelist
+
+- name: "Rename private_ipaddr_whitelist if present"
+  command: "mv /etc/nginx/snippets/private_ipaddr_whitelist /etc/nginx/snippets/ipaddr_whitelist
+  args:
+    removes: /etc/nginx/snippets/private_ipaddr_whitelist
+    creates: /etc/nginx/snippets/ipaddr_whitelist
+
+- name: Copy ipaddr_whitelist
   copy:
-    src: nginx/snippets/private_ipaddr_whitelist
+    src: nginx/snippets/ipaddr_whitelist
-    dest: /etc/nginx/snippets/private_ipaddr_whitelist
+    dest: /etc/nginx/snippets/ipaddr_whitelist
     owner: www-data
     group: www-data
     directory_mode: "0640"
@@ -56,20 +63,20 @@
 
 - name: add IP addresses to private IP whitelist
   lineinfile:
-    dest: /etc/nginx/snippets/private_ipaddr_whitelist
+    dest: /etc/nginx/snippets/ipaddr_whitelist
     line: "allow {{ item }};"
     state: present
-  with_items: "{{ nginx_private_ipaddr_whitelist_present }}"
+  with_items: "{{ nginx_ipaddr_whitelist_present }}"
   notify: reload nginx
   tags:
   - nginx
 
 - name: remove IP addresses from private IP whitelist
   lineinfile:
-    dest: /etc/nginx/snippets/private_ipaddr_whitelist
+    dest: /etc/nginx/snippets/ipaddr_whitelist
     line: "allow {{ item }};"
     state: absent
-  with_items: "{{ nginx_private_ipaddr_whitelist_absent }}"
+  with_items: "{{ nginx_ipaddr_whitelist_absent }}"
   notify: reload nginx
   tags:
   - nginx

nginx/templates/evolinux-default.conf.j2

@@ -23,7 +23,7 @@ server {
     root /var/www;
 
     # Auth.
-    include /etc/nginx/snippets/private_ipaddr_whitelist;
+    include /etc/nginx/snippets/ipaddr_whitelist;
     deny all;
     auth_basic "Reserved {{ ansible_fqdn }}";
     auth_basic_user_file /etc/nginx/snippets/private_htpasswd;