3bcc357509
Now the list of whitelisted ip addresses can be updated simply by including the specific tasks in an external playbook without polluting our role list. This change takes effect for nginx, apache and fail2ban.
69 lines
1.5 KiB
YAML
69 lines
1.5 KiB
YAML
---
|
|
|
|
- name: Init ipaddr_whitelist.conf file
|
|
copy:
|
|
src: ipaddr_whitelist.conf
|
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
force: no
|
|
tags:
|
|
- apache
|
|
|
|
- name: Load IP whitelist task
|
|
include: ip_whitelist.yml
|
|
tags:
|
|
- apache
|
|
|
|
- name: remove IP addresses from private IP whitelist
|
|
lineinfile:
|
|
dest: /etc/apache2/ipaddr_whitelist.conf
|
|
line: "Require ip {{ item }}"
|
|
state: absent
|
|
with_items: "{{ apache_ipaddr_whitelist_absent }}"
|
|
notify: reload apache
|
|
tags:
|
|
- apache
|
|
|
|
- name: include private IP whitelist for server-status
|
|
lineinfile:
|
|
dest: /etc/apache2/mods-available/status.conf
|
|
line: " include /etc/apache2/ipaddr_whitelist.conf"
|
|
insertafter: 'SetHandler server-status'
|
|
state: present
|
|
tags:
|
|
- apache
|
|
|
|
- name: Copy private_htpasswd
|
|
copy:
|
|
src: private_htpasswd
|
|
dest: /etc/apache2/private_htpasswd
|
|
owner: root
|
|
group: root
|
|
mode: "0640"
|
|
force: no
|
|
notify: reload apache
|
|
tags:
|
|
- apache
|
|
|
|
- name: add user:pwd to private htpasswd
|
|
lineinfile:
|
|
dest: /etc/apache2/private_htpasswd
|
|
line: "{{ item }}"
|
|
state: present
|
|
with_items: "{{ apache_private_htpasswd_present }}"
|
|
notify: reload apache
|
|
tags:
|
|
- apache
|
|
|
|
- name: remove user:pwd from private htpasswd
|
|
lineinfile:
|
|
dest: /etc/apache2/private_htpasswd
|
|
line: "{{ item }}"
|
|
state: absent
|
|
with_items: "{{ apache_private_htpasswd_absent }}"
|
|
notify: reload apache
|
|
tags:
|
|
- apache
|