If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol
HTTPS connections and keedp using port 443 for standard HTTPS connection.
New variables:
- proxy_protocol | default(true)
- User last official deb package from matrix.org
- Revised LDAP integration:
* ldap_server, ldap_domain [ ldap_basedn ] config vraiables.
* Bind a protected service account with a service password and
start-tls
- Hardcoded matrix.lilik.it --> {{ ansible_hostname }}.{{ domain }}
- Sqlite -> Postgres
New variables:
- matrix_domain | default($domain)
- TLSv1.3 mandatory
- Pushed routes not hardcoded but defined by `routes` list
- TLS Private Key ED25519 instead of RSA
- Signing request refactored
- Topology switched from `net30` to `subnet`
- Ready for separated user and server CA
- Server certificate validity is assessed
- `tls_int` and `packages` tags added.
Role to configure nextcloud with LDAP User backend.
First test passed.
New modules:
- occ:
set coniguration values using `php occ` nextcloud command-line tool.
Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).
Affected roles:
- reverse_proxy:
Pass PROXY PROTOCOL by default to all upstream server. May cause
problem with upstream server unable to understand PROXY
PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
Expect PROXY PROTOCOL for all incoming TLS connection on nginx
clients.
*Warning:* now you can access local server only passing by the
firewall reverse proxy, not directly.
- gitlab:
Built-in nginx instance configured to expect PROXY PROTOCOL for
tls incoming connections.
Created a reusable tasks list for issung certificates (tls) at the
moment.
Added option for module cert_request to programmatically require
signing of client certificate.
- Coherent quotation style
Single quotes for text variable (even if implicit), no quotes for
variable and conditional statements, if not required.
- Some useful tags added:
* ssh_certs
renewal of server SSH certificates and configuration of authorized
CA.
* tls_pub
renewal of public TLS certificates (let's encrypt) and certbot
configuration.
* tls_int
renewal of internal TLS certificates (service authorizations) and
configuration of authorized internal CA.
*(ToDo: deployment of Certificate Revokation Lists)*
* lxc
deployment of new containers (deployment of configuration file
excluded, for instance change in ip address are always applied and
trigger a container restart even if you skip this tag.
* packages
installation and upgrade of software packages (apt, opkg or
tarballs)
* service_password
create new random password for services-only password, for routine
rotation. Not meant to be skipped (some roles need to know the
service password, so they do a rotation).
- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab
- x509_subject_prefix
- x509_ldap_suffix
*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
Used in roles/certbot and roles/gitlab
- root_ca_cert
*Replaces:* ssl_ca_cert and files/lilik_x1.crt
New defaults:
- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
*Replaces:* fqdn_domain
Removed:
- fqdn_dmain
- x509_suffix
*Replaced by:* x509_ldap_suffix in common
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
*Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
- Tasks splitted in subfiles.
- Static slapd configuration (slapd.conf) moved *properly* to dynamic
conf (slapd.d).
- TLS Enabled by default, with certificate acquired using
`ca_manager`.
- New default tree
- New default ACL
- Kerberos schema added
- {SSHA512} hash properly configured.
Now which *host* is hosting a specific container is not defined in the
playbook yaml file but centrally in the invetory under the
`ansible_lxc_host` variable.
The `lxc_guest` role is runned directly against the guest, even if it
doesn't exist yet, and lxc tasks are delegated to the lxc-running
physical host.
In this way it should be easier to scale-up and configure multiple
istance of a service on different containers without changing the
playbook.
Look at `/ldap.yaml` for a commented example.
Now xfs is working, `prepare_host.yaml` is modified to add `xfs` to
the list of modules loaded at each boot.
If module is added to that list, than is also loaded with a modprobe
handler.
If xfs is not working with `role/lxc_guest`, run the patched
`prepare_host.yaml` againg.
Debian version upgraded to buster.
New templates compatibile with stable versions of LXC provided with
debian.
Cleaner syntax using `ssh_lxc.py` connection plugin. Now we don't user
`lxc-attach -n ...` in the `shell` module on the host anymore, but we
delegate to `{{ vm_name }}` with `connection: ssh_lxc`, using suitable
Ansible module to do operation directly on the container before it is
online and SSH accessible.
We added an option to force an LVM VG name: if the default naming
convention is not used the vg name can be overriden with the `vg_name`
variable.
The `xfs` filesystem seems to be broken in this release, so we used
`ext4` as default for new container. This point needs further
investigation.
Now this connection can (also) be used directly indicating the LXC
container as the target (or delegated host), if the variables
`ansible_lxc_host` and `ansible_lxc_name` are provided, either in
invetory, role or task.
`ansible_lxc_host` is the inventory hostname of the LXC running physical
host.
`ansible_lxc_name` is the container name.
File `hosts.example` is provided to show how this variables can be set
up in an inventory.
Add support for OpenSSH v8 (ouput of `ssh-keygen` changed slightly) in
module `ssh_cert` and use a better implementation for multiple user CA.
Now we are reading user_ca from `group_vars/all.yaml`.
`user_ca_keys` should be list of each allowed User CA on one host (in
this way is easier to rotate CAs without reissuing keys to each user at
the same time).
The production CA must be the first one in the list. Host certificate
will be checked only against the first CA and updated if their host key
was issued from another CA in the list.
For this reason now we are using a template to create
`/etc/ssh/user_ca.pub` on the target, to preserve the key order.
`group_vars/all.yaml.example` has been updated to reflect the new usage.
- New apt multipackage style
- Tabulation in `templates/interfaces.j2` and in `/etc/lvm/lvm.conf`
line fixed: in Debian buster tabulation is used to indent this config
files by default.
`lxc-ssh.py` removed.
All Playbbooks now user `ssh_lxc` connection.
`ansible_ssh_lxc_name` variable used to specify container name.
Tested and worked correctly with `python==3.8.2` and `ansible==2.9.6` on the
controller and `python==2.7` on the target.
Modification of the stock connection plugin ssh.py to use lxc-attach on
the target host.
We replace any `<cmd>` with
`lxc-attach -n <container_name> /bin/sh -c '<cmd>'`
before sending it through the ssh connection.
Based on the original idea of *Pierre Chifflier* availabe on [GitHub].
The container name should be passed as the `ansible_ssh_lxc_name`
variable.
The `ansible_docker_extra_args` variable is still working for backward
compatibiliy.
ToDo: The docstrings need to be updated, they are still mostly the ones
from ssh.py connection plugin.
We figured out the proper method to access inventory variables (see
README.md in [GitHub]), they need to be propery specified inside the
DOCUMENTATION of the Connection [1], and then they can be obtained with the
`Plugin.get_option()` method. That method should not be called in the
`__init__()`, because options are not yet initialized. Calling it in
`_connect()` returned the correct option.
[GitHub]: https://github.com/chifflier/ansible-lxc-ssh
[1]: https://docs.ansible.com/ansible/2.9/dev_guide/developing_plugins.html
First step to develop a new cleaner ssh_lxc interface.
Here we clone `ansible/plugins/connection/ssh.py` from Ansible version
2.9.6.
It will be adapted to use `lxc-attach` on the target host.