- (Icinga2) Preseed correctly all the debconf variables to have IDO db created
and populated by `icinga2-ido-pgsql` deb installation script.
- (IcingaWeb2) Use a different user, `www-data`, with lower
privileges, to access the IDO db in read-only mode.
- Use everywhere socket (local ident) authentication to PostgreSQL to
avoid local service password.
(IcingaWeb2) Configuration issues fixed:
- Missing `php-fpm` requirement.
- Migrating php7.0 -> php 7.3 in nginx config location config file.
- Fixed `rewrite` rule in nginx configuration:
When usign `/icingaweb2` as rewrite target nginx automatically
expand the redirect 302 response as
`$scheme://$remote_host:$remote_port/icingaweb2`, causing
connection to fail when behind a *reverse proxy*, because
remote_post and remote_host are incorrect.
- Remove hardcoded `status.lilik.it` in `meta/main.yaml`,
`server_fqdn` is already defined in `defaults/main.yaml` as
`{{ ansible_hostname }}.{{ domain }}`.
(IcingaWeb2) LDAP:
- procedure to automatically issue service credetinals to authenticate
with the ldap server.
- starttls secured ldap connection with service account.
- use of the variable `base_dn` instead of hard-coded values in config
files.
(IcingaWeb2) CONFIGURATION:
- fixed rsync parameters.
- resource renaming.
When using multiples server names in `server_name`, the NGINX variable
`$server_name` will always point only to the first entry. `$host`
variable, instead, point to the selected host from the user (HTTP
request or Host: header).
Do not apply tag `packages` to role `service`. Tags are already
applied inside the role. If we apply the tag `package` at the role
level handlers defined inside the role (restart, reload) are not
available in the play!
Fix an error when `ssh_server` last task, the one that checks if the
server has actually started to listen on port 22.
This error occurred while using the `ssh_server` role on a physical
host, not while running on lxc_guests.
Role to configure port forwarding in a OpenWRT firewall.
Import this role in any host playbook to open a redirect to the
current host from the host labelled as firewall.
Example:
- set_fact:
firewall: 'inventory_name_of_firewall'
- import_role: name=port_forwarding
vars:
name: 'stun'
proto: 'tcp'
port: 3478
This is beacause nginx will do canonization of URIs before
proxy-passing if you add anything after the port host:port.
For example, with:
location /anything {
proxy_pass http://127.0.0.1:8008/anything;
}
NGINX will perform canonization, but with:
location /anything {
proxy_pass http://127.0.0.1:8008
# With NO Trailing slash
}
NGINX will pass the unaltered original request, included /anything, to
the upstream server.
Canonization leads to problem when federating to other matrix-synapse
instances. The observed bug was:
- User A on our server (@A:our.server) invites User B on external
server (@B:matrix.org).
- User B correctly receive the invite.
- User B try to join the room but the request timeout.
- On our.sever logs we see "signature tampered" errors related to
incoming connection from the external server (matrix.org).
This commit fix the issue.
If proxy-protocol is enabled use alternative port 10443 for PROXY
Protocol traffic on both gitlab and mattermost and keep port 443 for
standard HTTPS Traffic.
If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol
HTTPS connections and keedp using port 443 for standard HTTPS connection.
New variables:
- proxy_protocol | default(true)
- User last official deb package from matrix.org
- Revised LDAP integration:
* ldap_server, ldap_domain [ ldap_basedn ] config vraiables.
* Bind a protected service account with a service password and
start-tls
- Hardcoded matrix.lilik.it --> {{ ansible_hostname }}.{{ domain }}
- Sqlite -> Postgres
New variables:
- matrix_domain | default($domain)
- TLSv1.3 mandatory
- Pushed routes not hardcoded but defined by `routes` list
- TLS Private Key ED25519 instead of RSA
- Signing request refactored
- Topology switched from `net30` to `subnet`
- Ready for separated user and server CA
- Server certificate validity is assessed
- `tls_int` and `packages` tags added.
Role to configure nextcloud with LDAP User backend.
First test passed.
New modules:
- occ:
set coniguration values using `php occ` nextcloud command-line tool.
Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).
Affected roles:
- reverse_proxy:
Pass PROXY PROTOCOL by default to all upstream server. May cause
problem with upstream server unable to understand PROXY
PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
Expect PROXY PROTOCOL for all incoming TLS connection on nginx
clients.
*Warning:* now you can access local server only passing by the
firewall reverse proxy, not directly.
- gitlab:
Built-in nginx instance configured to expect PROXY PROTOCOL for
tls incoming connections.
Created a reusable tasks list for issung certificates (tls) at the
moment.
Added option for module cert_request to programmatically require
signing of client certificate.
- Coherent quotation style
Single quotes for text variable (even if implicit), no quotes for
variable and conditional statements, if not required.
- Some useful tags added:
* ssh_certs
renewal of server SSH certificates and configuration of authorized
CA.
* tls_pub
renewal of public TLS certificates (let's encrypt) and certbot
configuration.
* tls_int
renewal of internal TLS certificates (service authorizations) and
configuration of authorized internal CA.
*(ToDo: deployment of Certificate Revokation Lists)*
* lxc
deployment of new containers (deployment of configuration file
excluded, for instance change in ip address are always applied and
trigger a container restart even if you skip this tag.
* packages
installation and upgrade of software packages (apt, opkg or
tarballs)
* service_password
create new random password for services-only password, for routine
rotation. Not meant to be skipped (some roles need to know the
service password, so they do a rotation).
- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab
- x509_subject_prefix
- x509_ldap_suffix
*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
Used in roles/certbot and roles/gitlab
- root_ca_cert
*Replaces:* ssl_ca_cert and files/lilik_x1.crt
New defaults:
- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
*Replaces:* fqdn_domain
Removed:
- fqdn_dmain
- x509_suffix
*Replaced by:* x509_ldap_suffix in common
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
*Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
- Tasks splitted in subfiles.
- Static slapd configuration (slapd.conf) moved *properly* to dynamic
conf (slapd.d).
- TLS Enabled by default, with certificate acquired using
`ca_manager`.
- New default tree
- New default ACL
- Kerberos schema added
- {SSHA512} hash properly configured.
Now xfs is working, `prepare_host.yaml` is modified to add `xfs` to
the list of modules loaded at each boot.
If module is added to that list, than is also loaded with a modprobe
handler.
If xfs is not working with `role/lxc_guest`, run the patched
`prepare_host.yaml` againg.