Fix an error when `ssh_server` last task, the one that checks if the
server has actually started to listen on port 22.
This error occurred while using the `ssh_server` role on a physical
host, not while running on lxc_guests.
Role to configure port forwarding in a OpenWRT firewall.
Import this role in any host playbook to open a redirect to the
current host from the host labelled as firewall.
Example:
- set_fact:
firewall: 'inventory_name_of_firewall'
- import_role: name=port_forwarding
vars:
name: 'stun'
proto: 'tcp'
port: 3478
This is beacause nginx will do canonization of URIs before
proxy-passing if you add anything after the port host:port.
For example, with:
location /anything {
proxy_pass http://127.0.0.1:8008/anything;
}
NGINX will perform canonization, but with:
location /anything {
proxy_pass http://127.0.0.1:8008
# With NO Trailing slash
}
NGINX will pass the unaltered original request, included /anything, to
the upstream server.
Canonization leads to problem when federating to other matrix-synapse
instances. The observed bug was:
- User A on our server (@A:our.server) invites User B on external
server (@B:matrix.org).
- User B correctly receive the invite.
- User B try to join the room but the request timeout.
- On our.sever logs we see "signature tampered" errors related to
incoming connection from the external server (matrix.org).
This commit fix the issue.
If proxy-protocol is enabled use alternative port 10443 for PROXY
Protocol traffic on both gitlab and mattermost and keep port 443 for
standard HTTPS Traffic.
If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol
HTTPS connections and keedp using port 443 for standard HTTPS connection.
New variables:
- proxy_protocol | default(true)
- User last official deb package from matrix.org
- Revised LDAP integration:
* ldap_server, ldap_domain [ ldap_basedn ] config vraiables.
* Bind a protected service account with a service password and
start-tls
- Hardcoded matrix.lilik.it --> {{ ansible_hostname }}.{{ domain }}
- Sqlite -> Postgres
New variables:
- matrix_domain | default($domain)
- TLSv1.3 mandatory
- Pushed routes not hardcoded but defined by `routes` list
- TLS Private Key ED25519 instead of RSA
- Signing request refactored
- Topology switched from `net30` to `subnet`
- Ready for separated user and server CA
- Server certificate validity is assessed
- `tls_int` and `packages` tags added.
Role to configure nextcloud with LDAP User backend.
First test passed.
New modules:
- occ:
set coniguration values using `php occ` nextcloud command-line tool.
Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).
Affected roles:
- reverse_proxy:
Pass PROXY PROTOCOL by default to all upstream server. May cause
problem with upstream server unable to understand PROXY
PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
Expect PROXY PROTOCOL for all incoming TLS connection on nginx
clients.
*Warning:* now you can access local server only passing by the
firewall reverse proxy, not directly.
- gitlab:
Built-in nginx instance configured to expect PROXY PROTOCOL for
tls incoming connections.
Created a reusable tasks list for issung certificates (tls) at the
moment.
Added option for module cert_request to programmatically require
signing of client certificate.
- Coherent quotation style
Single quotes for text variable (even if implicit), no quotes for
variable and conditional statements, if not required.
- Some useful tags added:
* ssh_certs
renewal of server SSH certificates and configuration of authorized
CA.
* tls_pub
renewal of public TLS certificates (let's encrypt) and certbot
configuration.
* tls_int
renewal of internal TLS certificates (service authorizations) and
configuration of authorized internal CA.
*(ToDo: deployment of Certificate Revokation Lists)*
* lxc
deployment of new containers (deployment of configuration file
excluded, for instance change in ip address are always applied and
trigger a container restart even if you skip this tag.
* packages
installation and upgrade of software packages (apt, opkg or
tarballs)
* service_password
create new random password for services-only password, for routine
rotation. Not meant to be skipped (some roles need to know the
service password, so they do a rotation).
- prepare_host
- ssh_server
- lxc_guest
- ldap
- gitlab
- x509_subject_prefix
- x509_ldap_suffix
*Replaces:* x509_suffix in ldap.yaml
- letsencrypt_email
Used in roles/certbot and roles/gitlab
- root_ca_cert
*Replaces:* ssl_ca_cert and files/lilik_x1.crt
New defaults:
- ldap_domain | default: `${domain}`
- server_fqdn | default: `${hostname}.dmz.${domain}`
*Replaces:* fqdn_domain
Removed:
- fqdn_dmain
- x509_suffix
*Replaced by:* x509_ldap_suffix in common
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
*Replaces*: fqdn
- ldap_domain | default: `${domain}`
- ldap_server | default: `ldap1.dmz.${domain}`
- ldap_basedn | default: `dn(${ldap_domain})`
- enable_https | default: `true`
New defaults:
- server_fqdn | default: `${hostname}.${domain}`
- Tasks splitted in subfiles.
- Static slapd configuration (slapd.conf) moved *properly* to dynamic
conf (slapd.d).
- TLS Enabled by default, with certificate acquired using
`ca_manager`.
- New default tree
- New default ACL
- Kerberos schema added
- {SSHA512} hash properly configured.
Now which *host* is hosting a specific container is not defined in the
playbook yaml file but centrally in the invetory under the
`ansible_lxc_host` variable.
The `lxc_guest` role is runned directly against the guest, even if it
doesn't exist yet, and lxc tasks are delegated to the lxc-running
physical host.
In this way it should be easier to scale-up and configure multiple
istance of a service on different containers without changing the
playbook.
Look at `/ldap.yaml` for a commented example.
Now xfs is working, `prepare_host.yaml` is modified to add `xfs` to
the list of modules loaded at each boot.
If module is added to that list, than is also loaded with a modprobe
handler.
If xfs is not working with `role/lxc_guest`, run the patched
`prepare_host.yaml` againg.
Debian version upgraded to buster.
New templates compatibile with stable versions of LXC provided with
debian.
Cleaner syntax using `ssh_lxc.py` connection plugin. Now we don't user
`lxc-attach -n ...` in the `shell` module on the host anymore, but we
delegate to `{{ vm_name }}` with `connection: ssh_lxc`, using suitable
Ansible module to do operation directly on the container before it is
online and SSH accessible.
We added an option to force an LVM VG name: if the default naming
convention is not used the vg name can be overriden with the `vg_name`
variable.
The `xfs` filesystem seems to be broken in this release, so we used
`ext4` as default for new container. This point needs further
investigation.
Now this connection can (also) be used directly indicating the LXC
container as the target (or delegated host), if the variables
`ansible_lxc_host` and `ansible_lxc_name` are provided, either in
invetory, role or task.
`ansible_lxc_host` is the inventory hostname of the LXC running physical
host.
`ansible_lxc_name` is the container name.
File `hosts.example` is provided to show how this variables can be set
up in an inventory.
Add support for OpenSSH v8 (ouput of `ssh-keygen` changed slightly) in
module `ssh_cert` and use a better implementation for multiple user CA.
Now we are reading user_ca from `group_vars/all.yaml`.
`user_ca_keys` should be list of each allowed User CA on one host (in
this way is easier to rotate CAs without reissuing keys to each user at
the same time).
The production CA must be the first one in the list. Host certificate
will be checked only against the first CA and updated if their host key
was issued from another CA in the list.
For this reason now we are using a template to create
`/etc/ssh/user_ca.pub` on the target, to preserve the key order.
`group_vars/all.yaml.example` has been updated to reflect the new usage.
- New apt multipackage style
- Tabulation in `templates/interfaces.j2` and in `/etc/lvm/lvm.conf`
line fixed: in Debian buster tabulation is used to indent this config
files by default.