(IcingaWeb2) Configuration issues fixed:
- Missing `php-fpm` requirement.
- Migrating php7.0 -> php 7.3 in nginx config location config file.
- Fixed `rewrite` rule in nginx configuration:
When usign `/icingaweb2` as rewrite target nginx automatically
expand the redirect 302 response as
`$scheme://$remote_host:$remote_port/icingaweb2`, causing
connection to fail when behind a *reverse proxy*, because
remote_post and remote_host are incorrect.
- Remove hardcoded `status.lilik.it` in `meta/main.yaml`,
`server_fqdn` is already defined in `defaults/main.yaml` as
`{{ ansible_hostname }}.{{ domain }}`.
(IcingaWeb2) LDAP:
- procedure to automatically issue service credetinals to authenticate
with the ldap server.
- starttls secured ldap connection with service account.
- use of the variable `base_dn` instead of hard-coded values in config
files.
(IcingaWeb2) CONFIGURATION:
- fixed rsync parameters.
- resource renaming.
Make it work on Python3, even if deprecated with the new `ssh_lxc`
connection plugin.
Now you can use directly the `slurp` native module with delegation to
the lxc guest.
May be useful only in case where it is impossible to get python3 or
other ansible requirements on the lxc guest.
When using multiples server names in `server_name`, the NGINX variable
`$server_name` will always point only to the first entry. `$host`
variable, instead, point to the selected host from the user (HTTP
request or Host: header).
Do not apply tag `packages` to role `service`. Tags are already
applied inside the role. If we apply the tag `package` at the role
level handlers defined inside the role (restart, reload) are not
available in the play!
Fix an error when `ssh_server` last task, the one that checks if the
server has actually started to listen on port 22.
This error occurred while using the `ssh_server` role on a physical
host, not while running on lxc_guests.
Role to configure port forwarding in a OpenWRT firewall.
Import this role in any host playbook to open a redirect to the
current host from the host labelled as firewall.
Example:
- set_fact:
firewall: 'inventory_name_of_firewall'
- import_role: name=port_forwarding
vars:
name: 'stun'
proto: 'tcp'
port: 3478
This is beacause nginx will do canonization of URIs before
proxy-passing if you add anything after the port host:port.
For example, with:
location /anything {
proxy_pass http://127.0.0.1:8008/anything;
}
NGINX will perform canonization, but with:
location /anything {
proxy_pass http://127.0.0.1:8008
# With NO Trailing slash
}
NGINX will pass the unaltered original request, included /anything, to
the upstream server.
Canonization leads to problem when federating to other matrix-synapse
instances. The observed bug was:
- User A on our server (@A:our.server) invites User B on external
server (@B:matrix.org).
- User B correctly receive the invite.
- User B try to join the room but the request timeout.
- On our.sever logs we see "signature tampered" errors related to
incoming connection from the external server (matrix.org).
This commit fix the issue.
If proxy-protocol is enabled use alternative port 10443 for PROXY
Protocol traffic on both gitlab and mattermost and keep port 443 for
standard HTTPS Traffic.
If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol
HTTPS connections and keedp using port 443 for standard HTTPS connection.
New variables:
- proxy_protocol | default(true)
- User last official deb package from matrix.org
- Revised LDAP integration:
* ldap_server, ldap_domain [ ldap_basedn ] config vraiables.
* Bind a protected service account with a service password and
start-tls
- Hardcoded matrix.lilik.it --> {{ ansible_hostname }}.{{ domain }}
- Sqlite -> Postgres
New variables:
- matrix_domain | default($domain)
- TLSv1.3 mandatory
- Pushed routes not hardcoded but defined by `routes` list
- TLS Private Key ED25519 instead of RSA
- Signing request refactored
- Topology switched from `net30` to `subnet`
- Ready for separated user and server CA
- Server certificate validity is assessed
- `tls_int` and `packages` tags added.
Role to configure nextcloud with LDAP User backend.
First test passed.
New modules:
- occ:
set coniguration values using `php occ` nextcloud command-line tool.
Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).
Affected roles:
- reverse_proxy:
Pass PROXY PROTOCOL by default to all upstream server. May cause
problem with upstream server unable to understand PROXY
PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
Expect PROXY PROTOCOL for all incoming TLS connection on nginx
clients.
*Warning:* now you can access local server only passing by the
firewall reverse proxy, not directly.
- gitlab:
Built-in nginx instance configured to expect PROXY PROTOCOL for
tls incoming connections.
Created a reusable tasks list for issung certificates (tls) at the
moment.
Added option for module cert_request to programmatically require
signing of client certificate.
- Coherent quotation style
Single quotes for text variable (even if implicit), no quotes for
variable and conditional statements, if not required.
- Some useful tags added:
* ssh_certs
renewal of server SSH certificates and configuration of authorized
CA.
* tls_pub
renewal of public TLS certificates (let's encrypt) and certbot
configuration.
* tls_int
renewal of internal TLS certificates (service authorizations) and
configuration of authorized internal CA.
*(ToDo: deployment of Certificate Revokation Lists)*
* lxc
deployment of new containers (deployment of configuration file
excluded, for instance change in ip address are always applied and
trigger a container restart even if you skip this tag.
* packages
installation and upgrade of software packages (apt, opkg or
tarballs)
* service_password
create new random password for services-only password, for routine
rotation. Not meant to be skipped (some roles need to know the
service password, so they do a rotation).
- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab
- x509_subject_prefix
- x509_ldap_suffix
*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
Used in roles/certbot and roles/gitlab
- root_ca_cert
*Replaces:* ssl_ca_cert and files/lilik_x1.crt
New defaults:
- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
*Replaces:* fqdn_domain
Removed:
- fqdn_dmain
- x509_suffix
*Replaced by:* x509_ldap_suffix in common
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
*Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
- Tasks splitted in subfiles.
- Static slapd configuration (slapd.conf) moved *properly* to dynamic
conf (slapd.d).
- TLS Enabled by default, with certificate acquired using
`ca_manager`.
- New default tree
- New default ACL
- Kerberos schema added
- {SSHA512} hash properly configured.
Now which *host* is hosting a specific container is not defined in the
playbook yaml file but centrally in the invetory under the
`ansible_lxc_host` variable.
The `lxc_guest` role is runned directly against the guest, even if it
doesn't exist yet, and lxc tasks are delegated to the lxc-running
physical host.
In this way it should be easier to scale-up and configure multiple
istance of a service on different containers without changing the
playbook.
Look at `/ldap.yaml` for a commented example.
