- (Icinga2) Preseed correctly all the debconf variables to have IDO db created
and populated by `icinga2-ido-pgsql` deb installation script.
- (IcingaWeb2) Use a different user, `www-data`, with lower
privileges, to access the IDO db in read-only mode.
- Use everywhere socket (local ident) authentication to PostgreSQL to
avoid local service password.
(IcingaWeb2) Configuration issues fixed:
- Missing `php-fpm` requirement.
- Migrating php7.0 -> php 7.3 in nginx config location config file.
- Fixed `rewrite` rule in nginx configuration:
When usign `/icingaweb2` as rewrite target nginx automatically
expand the redirect 302 response as
`$scheme://$remote_host:$remote_port/icingaweb2`, causing
connection to fail when behind a *reverse proxy*, because
remote_post and remote_host are incorrect.
- Remove hardcoded `status.lilik.it` in `meta/main.yaml`,
`server_fqdn` is already defined in `defaults/main.yaml` as
`{{ ansible_hostname }}.{{ domain }}`.
(IcingaWeb2) LDAP:
- procedure to automatically issue service credetinals to authenticate
with the ldap server.
- starttls secured ldap connection with service account.
- use of the variable `base_dn` instead of hard-coded values in config
files.
(IcingaWeb2) CONFIGURATION:
- fixed rsync parameters.
- resource renaming.
Make it work on Python3, even if deprecated with the new `ssh_lxc`
connection plugin.
Now you can use directly the `slurp` native module with delegation to
the lxc guest.
May be useful only in case where it is impossible to get python3 or
other ansible requirements on the lxc guest.
When using multiples server names in `server_name`, the NGINX variable
`$server_name` will always point only to the first entry. `$host`
variable, instead, point to the selected host from the user (HTTP
request or Host: header).
Do not apply tag `packages` to role `service`. Tags are already
applied inside the role. If we apply the tag `package` at the role
level handlers defined inside the role (restart, reload) are not
available in the play!
Fix an error when `ssh_server` last task, the one that checks if the
server has actually started to listen on port 22.
This error occurred while using the `ssh_server` role on a physical
host, not while running on lxc_guests.
Role to configure port forwarding in a OpenWRT firewall.
Import this role in any host playbook to open a redirect to the
current host from the host labelled as firewall.
Example:
- set_fact:
firewall: 'inventory_name_of_firewall'
- import_role: name=port_forwarding
vars:
name: 'stun'
proto: 'tcp'
port: 3478
This is beacause nginx will do canonization of URIs before
proxy-passing if you add anything after the port host:port.
For example, with:
location /anything {
proxy_pass http://127.0.0.1:8008/anything;
}
NGINX will perform canonization, but with:
location /anything {
proxy_pass http://127.0.0.1:8008
# With NO Trailing slash
}
NGINX will pass the unaltered original request, included /anything, to
the upstream server.
Canonization leads to problem when federating to other matrix-synapse
instances. The observed bug was:
- User A on our server (@A:our.server) invites User B on external
server (@B:matrix.org).
- User B correctly receive the invite.
- User B try to join the room but the request timeout.
- On our.sever logs we see "signature tampered" errors related to
incoming connection from the external server (matrix.org).
This commit fix the issue.
If proxy-protocol is enabled use alternative port 10443 for PROXY
Protocol traffic on both gitlab and mattermost and keep port 443 for
standard HTTPS Traffic.
If `proxy_protocol` is turned on user port 10443 to accept PROXY Protocol
HTTPS connections and keedp using port 443 for standard HTTPS connection.
New variables:
- proxy_protocol | default(true)
- User last official deb package from matrix.org
- Revised LDAP integration:
* ldap_server, ldap_domain [ ldap_basedn ] config vraiables.
* Bind a protected service account with a service password and
start-tls
- Hardcoded matrix.lilik.it --> {{ ansible_hostname }}.{{ domain }}
- Sqlite -> Postgres
New variables:
- matrix_domain | default($domain)
- TLSv1.3 mandatory
- Pushed routes not hardcoded but defined by `routes` list
- TLS Private Key ED25519 instead of RSA
- Signing request refactored
- Topology switched from `net30` to `subnet`
- Ready for separated user and server CA
- Server certificate validity is assessed
- `tls_int` and `packages` tags added.
Role to configure nextcloud with LDAP User backend.
First test passed.
New modules:
- occ:
set coniguration values using `php occ` nextcloud command-line tool.
Original Client IP is correctly passed to upstream nginx
instances (nginx role or gitlab).
Affected roles:
- reverse_proxy:
Pass PROXY PROTOCOL by default to all upstream server. May cause
problem with upstream server unable to understand PROXY
PROTOCOL. We should put a nginx proxy in front in that case.
- nginx:
Expect PROXY PROTOCOL for all incoming TLS connection on nginx
clients.
*Warning:* now you can access local server only passing by the
firewall reverse proxy, not directly.
- gitlab:
Built-in nginx instance configured to expect PROXY PROTOCOL for
tls incoming connections.
Created a reusable tasks list for issung certificates (tls) at the
moment.
Added option for module cert_request to programmatically require
signing of client certificate.