diff --git a/CHANGELOG.md b/CHANGELOG.md index 58353dd..ccfa8d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ FEATURES: * Validate that various role variables have been set to one of the allowed values. * Refactor how this role checks if your distribution is supported NGINX App Protect. The role will no longer fail if the target distribution is not supported, instead, you will get a warning. This should help with the occasional lag between new releases of distributions and/or NGINX App Protect and this role being updated to support those releases. In addition, the role will also now check if your distribution's architecture is supported. +* Refactor Ansible facts from dot to array notation to keep in with the standards set by the other roles in the Ansible NGINX core collection. * Add support for Debian bullseye for NGINX App Protect WAF. * Add support for Oracle Linux 7.x & 8.x for NGINX App Protect WAF. * Add support for RHEL 8.7. diff --git a/molecule/common/cleanup.yml b/molecule/common/cleanup.yml index 400a1f0..0bc877b 100644 --- a/molecule/common/cleanup.yml +++ b/molecule/common/cleanup.yml @@ -26,7 +26,7 @@ - name: (RHEL) Unregister system from RHEL subscription manager community.general.redhat_subscription: state: absent - when: ansible_distribution == "RedHat" + when: ansible_facts['distribution'] == "RedHat" rescue: - name: It's ok we're at startup ansible.builtin.meta: noop diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index edc4f4d..1162be2 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -16,7 +16,7 @@ username: "{{ lookup('env', 'RHEL_USERNAME') }}" password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - - ansible_distribution == "RedHat" + - ansible_facts['distribution'] == "RedHat" - rhel_subscription | bool tasks: - name: Install NGINX App Protect WAF diff --git a/molecule/dos/converge.yml b/molecule/dos/converge.yml index 28b1bfe..9868680 100644 --- a/molecule/dos/converge.yml +++ b/molecule/dos/converge.yml @@ -16,7 +16,7 @@ username: "{{ lookup('env', 'RHEL_USERNAME') }}" password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - - ansible_distribution == "RedHat" + - ansible_facts['distribution'] == "RedHat" - rhel_subscription| bool tasks: - name: Install NGINX App Protect DoS diff --git a/molecule/specific-version/converge.yml b/molecule/specific-version/converge.yml index 781e71b..b87eb40 100644 --- a/molecule/specific-version/converge.yml +++ b/molecule/specific-version/converge.yml @@ -13,12 +13,12 @@ tasks: - name: Set NGINX App Protect WAF signature version fact ansible.builtin.set_fact: - nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}" + nginx_app_protect_waf_signatures_version: "{{ app_protect_signature_version_matrix[ansible_facts['os_family'] | lower] }}{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}" when: specify_app_protect_signatures_version | bool - name: Set NGINX App Protect WAF threat campaigns version fact ansible.builtin.set_fact: - nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] }}{{ (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}" + nginx_app_protect_waf_threat_campaigns_version: "{{ app_protect_threat_campaigns_version_matrix[ansible_facts['os_family'] | lower] }}{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '') }}" when: specify_app_protect_threat_campaigns_version | bool - name: Install NGINX App Protect WAF diff --git a/molecule/specific-version/verify.yml b/molecule/specific-version/verify.yml index 9bef9ad..46461ba 100644 --- a/molecule/specific-version/verify.yml +++ b/molecule/specific-version/verify.yml @@ -60,8 +60,8 @@ - name: Verify installed NAP signatures version matches requested version # noqa jinja[spacing] ansible.builtin.assert: - that: "{{ (ansible_facts.packages['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}" + that: "{{ (ansible_facts['packages']['app-protect-attack-signatures'] | map(attribute='version') | first) == (app_protect_signature_version_matrix[ansible_facts['os_family'] | lower] | regex_replace('^-|=','') + (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_facts['distribution_release'], '')) }}" - name: Verify installed NAP threat campaigns version matches requested version # noqa jinja[spacing] ansible.builtin.assert: - that: "{{ (ansible_facts.packages['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_os_family | lower] | regex_replace('^-|=','') + (ansible_os_family | lower == 'debian') | ternary('~' ~ ansible_distribution_release, '')) }}" + that: "{{ (ansible_facts['packages']['app-protect-threat-campaigns'] | map(attribute='version') | first) == (app_protect_threat_campaigns_version_matrix[ansible_facts['os_family'] | lower] | regex_replace('^-|=','') + (ansible_facts['os_family'] | lower == 'debian') | ternary('~' ~ ansible_facts['distribution_release'], '')) }}" diff --git a/molecule/uninstall/prepare.yml b/molecule/uninstall/prepare.yml index fc20dac..0ab42a0 100644 --- a/molecule/uninstall/prepare.yml +++ b/molecule/uninstall/prepare.yml @@ -34,7 +34,7 @@ username: "{{ lookup('env', 'RHEL_USERNAME') }}" password: "{{ lookup('env', 'RHEL_PASSWORD') }}" when: - - ansible_distribution == "RedHat" + - ansible_facts['distribution'] == "RedHat" - rhel_subscription| bool tasks: - name: Install NGINX App Protect WAF @@ -54,5 +54,5 @@ community.general.redhat_subscription: state: absent when: - - ansible_distribution == "RedHat" + - ansible_facts['distribution'] == "RedHat" - rhel_subscription | bool diff --git a/tasks/common/config/configure-app-protect.yml b/tasks/common/config/configure-app-protect.yml index 6884f83..af799d3 100644 --- a/tasks/common/config/configure-app-protect.yml +++ b/tasks/common/config/configure-app-protect.yml @@ -4,15 +4,15 @@ block: - name: Ensure NGINX App Protect security policy directories exist ansible.builtin.file: - path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}" + path: "{{ item['dest'] | default('/etc/app_protect/conf') | dirname }}" state: directory mode: 0755 loop: "{{ nginx_app_protect_security_policy_file }}" - name: Copy NGINX App Protect security policy files ansible.builtin.copy: - src: "{{ item.src }}" - dest: "{{ item.dest | default('/etc/app_protect/conf') }}" + src: "{{ item['src'] }}" + dest: "{{ item['dest'] | default('/etc/app_protect/conf') }}" backup: true mode: 0644 loop: "{{ nginx_app_protect_security_policy_file }}" @@ -22,15 +22,15 @@ block: - name: Ensure NGINX App Protect log policy directories exist ansible.builtin.file: - path: "{{ item.dest | default('/etc/app_protect/conf') | dirname }}" + path: "{{ item['dest'] | default('/etc/app_protect/conf') | dirname }}" state: directory mode: 0755 loop: "{{ nginx_app_protect_log_policy_file }}" - name: Copy NGINX App Protect log policy files ansible.builtin.copy: - src: "{{ item.src }}" - dest: "{{ item.dest | default('/etc/app_protect/conf') }}" + src: "{{ item['src'] }}" + dest: "{{ item['dest'] | default('/etc/app_protect/conf') }}" backup: true mode: 0644 loop: "{{ nginx_app_protect_log_policy_file }}" diff --git a/tasks/common/install/remove-license.yml b/tasks/common/install/remove-license.yml index 0a8dfb7..272031c 100644 --- a/tasks/common/install/remove-license.yml +++ b/tasks/common/install/remove-license.yml @@ -4,11 +4,11 @@ nginx_app_protect_license_status: absent - name: Delete NGINX App Protect WAF repository data - ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_facts['os_family'] | lower }}.yml" when: nginx_app_protect_waf_enable | bool - name: Delete NGINX App Protect DoS repository data - ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_facts['os_family'] | lower }}.yml" when: nginx_app_protect_dos_enable | bool - name: Delete NGINX App Protect license diff --git a/tasks/common/install/setup-license.yml b/tasks/common/install/setup-license.yml index b9df14e..e8b9c89 100644 --- a/tasks/common/install/setup-license.yml +++ b/tasks/common/install/setup-license.yml @@ -1,6 +1,6 @@ --- - name: (Alpine Linux) Set up NGINX App Protect WAF/DoS license - when: ansible_os_family == "Alpine" + when: ansible_facts['os_family'] == "Alpine" block: - name: Install cryptography package ansible.builtin.package: @@ -14,14 +14,14 @@ - name: (Alpine Linux) Copy NGINX App Protect WAF/DoS certificate ansible.builtin.copy: - src: "{{ nginx_app_protect_license.certificate }}" + src: "{{ nginx_app_protect_license['certificate'] }}" dest: /etc/apk/cert.pem decrypt: true mode: 0444 - name: (Alpine Linux) Copy NGINX App Protect WAF/DoS key ansible.builtin.copy: - src: "{{ nginx_app_protect_license.key }}" + src: "{{ nginx_app_protect_license['key'] }}" dest: /etc/apk/cert.key decrypt: true mode: 0444 @@ -45,7 +45,7 @@ fail_msg: Something went wrong! Make sure your App Protect WAF/DoS license is valid! - name: (Debian/Red Hat OSs) Set up NGINX App Protect WAF/DoS license - when: ansible_os_family != "Alpine" + when: ansible_facts['os_family'] != "Alpine" block: - name: (Debian/Red Hat OSs) Create SSL directory ansible.builtin.file: @@ -60,12 +60,12 @@ decrypt: true mode: 0444 loop: - - "{{ nginx_app_protect_license.certificate }}" - - "{{ nginx_app_protect_license.key }}" + - "{{ nginx_app_protect_license['certificate'] }}" + - "{{ nginx_app_protect_license['key'] }}" - name: (Debian/Red Hat OSs) Install cryptography package ansible.builtin.package: - name: "{{ (ansible_python.version.major == 3) | ternary('python3-cryptography', 'python2-cryptography') }}" + name: "{{ (ansible_python['version']['major'] == 3) | ternary('python3-cryptography', 'python2-cryptography') }}" - name: (Debian/Red Hat OSs) Check that NGINX App Protect WAF/DoS certificate is valid community.crypto.x509_certificate_info: @@ -80,7 +80,7 @@ - name: (Debian/Red Hat OSs) Check that NGINX App Protect WAF/DoS license is valid ansible.builtin.assert: that: - - cert.expired == false - - cert.public_key == key.public_key + - "{{ not cert['expired'] | bool }}" + - "{{ cert['public_key'] == key['public_key'] }}" success_msg: Your NGINX App Protect WAF/DoS license is valid! fail_msg: Something went wrong! Make sure your NGINX App Protect WAF/DoS license is valid! diff --git a/tasks/common/keys/setup-keys.yml b/tasks/common/keys/setup-keys.yml index 6c29726..838d1f0 100644 --- a/tasks/common/keys/setup-keys.yml +++ b/tasks/common/keys/setup-keys.yml @@ -1,10 +1,10 @@ --- - name: (Alpine Linux) Set up NGINX App Protect DoS signing key - when: ansible_os_family == "Alpine" + when: ansible_facts['os_family'] == "Alpine" block: - name: (Alpine Linux) Set up NGINX App Protect DoS signing key URL ansible.builtin.set_fact: - keysite: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_rsa_pub) }}" + keysite: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_rsa_pub) }}" - name: (Alpine Linux) Download NGINX App Protect DoS signing key ansible.builtin.get_url: @@ -13,27 +13,27 @@ mode: 0400 - name: (Debian/Ubuntu) Set up NGINX App Protect and security updates signing key - when: ansible_os_family == "Debian" + when: ansible_facts['os_family'] == "Debian" block: - name: (Debian/Ubuntu) Add NGINX Plus signing key ansible.builtin.apt_key: keyring: /usr/share/keyrings/nginx-archive-keyring.gpg - url: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}" + url: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_pgp) }}" - name: (Debian/Ubuntu) Add NGINX App Protect security updates signing key ansible.builtin.apt_key: keyring: /usr/share/keyrings/nginx-archive-keyring.gpg - url: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}" + url: "{{ nginx_app_protect_waf_signing_key['waf_security_updates'] | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}" when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool) - name: (Amazon Linux/CentOS/RHEL) Set up NGINX App Protect and security updates signing key - when: ansible_os_family == "RedHat" + when: ansible_facts['os_family'] == "RedHat" block: - name: (CentOS/RHEL) Add NGINX Plus signing key ansible.builtin.rpm_key: - key: "{{ nginx_app_protect_signing_key.nginx_plus | default(nginx_app_protect_default_signing_key_pgp) }}" + key: "{{ nginx_app_protect_signing_key['nginx_plus'] | default(nginx_app_protect_default_signing_key_pgp) }}" - name: (Amazon Linux/CentOS/RHEL) Add NGINX App Protect security updates signing key ansible.builtin.rpm_key: - key: "{{ nginx_app_protect_waf_signing_key.waf_security_updates | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}" + key: "{{ nginx_app_protect_waf_signing_key['waf_security_updates'] | default(nginx_app_protect_waf_security_updates_default_signing_key_pgp) }}" when: (nginx_app_protect_waf_install_signatures | bool) or (nginx_app_protect_waf_install_threat_campaigns | bool) diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml index 810a6e3..1abd5f5 100644 --- a/tasks/common/prerequisites/install-dependencies.yml +++ b/tasks/common/prerequisites/install-dependencies.yml @@ -4,28 +4,28 @@ name: "{{ nginx_app_protect_alpine_dependencies }}" update_cache: true state: latest # noqa package-latest - when: ansible_os_family == "Alpine" + when: ansible_facts['os_family'] == "Alpine" - name: (Debian/Ubuntu) Install package dependencies ansible.builtin.apt: name: "{{ nginx_app_protect_debian_dependencies }}" update_cache: true state: latest # noqa package-latest - when: ansible_os_family == "Debian" + when: ansible_facts['os_family'] == "Debian" - name: (Amazon Linux) Set up Amazon Linux Extras repositories ansible.builtin.command: amazon-linux-extras enable {{ item }} changed_when: false loop: "{{ nginx_app_protect_amazon_extras }}" - when: ansible_distribution == "Amazon" + when: ansible_facts['distribution'] == "Amazon" - name: (Amazon Linux/CentOS/RHEL) Install package dependencies - when: ansible_os_family == "RedHat" + when: ansible_facts['os_family'] == "RedHat" block: - name: (Amazon Linux/CentOS/RHEL) Import EPEL GPG key ansible.builtin.rpm_key: state: present - key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version) }} + key: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ (ansible_facts['distribution'] == 'Amazon') | ternary('7', ansible_facts['distribution_major_version']) }} - name: (Amazon Linux/CentOS/RHEL) Install package dependencies ansible.builtin.yum: @@ -34,7 +34,7 @@ state: latest # noqa package-latest - name: (RHEL) Set up RHEL specific repositories - when: ansible_distribution == "RedHat" + when: ansible_facts['distribution'] == "RedHat" block: - name: (RHEL 7) Set up RHEL dependencies from OSS repositories ansible.builtin.yum_repository: @@ -46,7 +46,7 @@ gpgkey: https://ftp.heanet.ie/pub/centos/7/os/$basearch/RPM-GPG-KEY-CentOS-7 state: "{{ nginx_app_protect_license_status | default('present') }}" when: - - ansible_distribution_major_version == "7" + - ansible_facts['distribution_major_version'] is version('7', '==') - not nginx_app_protect_use_rhel_subscription_repos | bool - name: (RHEL 7 DoS) Set up RHEL NGINX App Protect DoS dependencies from OSS repositories @@ -59,7 +59,7 @@ gpgkey: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7 state: "{{ nginx_app_protect_license_status | default('present') }}" when: - - ansible_distribution_major_version == "7" + - ansible_facts['distribution_major_version'] is version('7', '==') - not nginx_app_protect_use_rhel_subscription_repos | bool - nginx_app_protect_dos_enable | bool @@ -75,14 +75,14 @@ - rhel-7-server-extras-rpms - rhel-ha-for-rhel-7-server-rpms when: - - ansible_distribution_major_version == "7" + - ansible_facts['distribution_major_version'] is version('7', '==') - nginx_app_protect_use_rhel_subscription_repos | bool - name: (RHEL 8) Set up RHEL dependencies from RHEL official repositories community.general.rhsm_repository: name: codeready-builder-for-rhel-8-x86_64-rpms when: - - ansible_distribution_major_version == "8" + - ansible_facts['distribution_major_version'] is version('8', '==') - nginx_app_protect_use_rhel_subscription_repos | bool - name: (Oracle Linux) Set up Oracle Linux specific repositories @@ -92,4 +92,4 @@ option: enabled value: 1 mode: 0644 - when: ansible_distribution == "OracleLinux" + when: ansible_facts['distribution'] == "OracleLinux" diff --git a/tasks/common/prerequisites/setup-selinux.yml b/tasks/common/prerequisites/setup-selinux.yml index b2698ed..723c8b4 100644 --- a/tasks/common/prerequisites/setup-selinux.yml +++ b/tasks/common/prerequisites/setup-selinux.yml @@ -75,7 +75,7 @@ - name: Import SELinux NGINX App Protect module ansible.builtin.command: semodule -i {{ nginx_app_protect_selinux_tempdir }}/nginx-app-protect-module.pp # noqa no-handler changed_when: false - when: nginx_app_protect_selinux_module.changed | bool + when: nginx_app_protect_selinux_module['changed'] | bool - name: Set SELinux mode to enforcing ansible.posix.selinux: diff --git a/tasks/common/validate/validate.yml b/tasks/common/validate/validate.yml index dd8f299..0be2f5b 100644 --- a/tasks/common/validate/validate.yml +++ b/tasks/common/validate/validate.yml @@ -29,10 +29,10 @@ - name: Warn if installing NGINX App Protect on RHEL >7 without subscription details ansible.builtin.fail: - msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_distribution_version }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true. + msg: NGINX App Protect cannot be installed on Red Hat Enterprise Linux {{ ansible_facts['distribution_version'] }} without a valid Red Hat Enterprise Linux subscription. Subscribe your target environment before running the role and then set the 'nginx_app_protect_use_rhel_subscription_repos' variable to true. when: - - ansible_distribution == "RedHat" - - ansible_distribution_major_version is version('7', '>') + - ansible_facts['distribution'] == "RedHat" + - ansible_facts['distribution_major_version'] is version('7', '>') - not nginx_app_protect_use_rhel_subscription_repos | bool ignore_errors: true # noqa ignore-errors diff --git a/tasks/main.yml b/tasks/main.yml index 1726bb7..417ab74 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -21,12 +21,12 @@ tags: nginx_app_protect_setup_license - name: "{{ nginx_app_protect_waf_setup | capitalize }} NGINX App Protect WAF" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/waf/install-{{ ansible_facts['os_family'] | lower }}.yml" when: nginx_app_protect_waf_enable | bool tags: nginx_app_protect_install_app_protect_waf - name: "{{ nginx_app_protect_dos_setup | capitalize }} NGINX App Protect DoS" - ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_os_family | lower }}.yml" + ansible.builtin.include_tasks: "{{ role_path }}/tasks/dos/install-{{ ansible_facts['os_family'] | lower }}.yml" when: nginx_app_protect_dos_enable | bool tags: nginx_app_protect_install_app_protect_dos diff --git a/tasks/waf/install-redhat.yml b/tasks/waf/install-redhat.yml index 60fd4e7..75c8afb 100644 --- a/tasks/waf/install-redhat.yml +++ b/tasks/waf/install-redhat.yml @@ -3,7 +3,7 @@ ansible.builtin.yum_repository: name: nginx-plus description: NGINX Plus repository - baseurl: "{{ nginx_plus_repository | default(lookup('vars', 'nginx_plus_default_repository_' + ((ansible_distribution == 'Amazon') | ternary('amazon', 'redhat')))) }}" + baseurl: "{{ nginx_plus_repository | default(lookup('vars', 'nginx_plus_default_repository_' + ((ansible_facts['distribution'] == 'Amazon') | ternary('amazon', 'redhat')))) }}" sslclientcert: /etc/ssl/nginx/nginx-repo.crt sslclientkey: /etc/ssl/nginx/nginx-repo.key enabled: true @@ -16,7 +16,7 @@ ansible.builtin.yum_repository: name: nginx-app-protect description: NGINX App Protect WAF repository - baseurl: "{{ nginx_app_protect_waf_repository | default(lookup('vars', 'nginx_app_protect_waf_default_repository_' + ((ansible_distribution == 'Amazon') | ternary('amazon', 'redhat')))) }}" + baseurl: "{{ nginx_app_protect_waf_repository | default(lookup('vars', 'nginx_app_protect_waf_default_repository_' + ((ansible_facts['distribution'] == 'Amazon') | ternary('amazon', 'redhat')))) }}" sslclientcert: /etc/ssl/nginx/nginx-repo.crt sslclientkey: /etc/ssl/nginx/nginx-repo.key enabled: true @@ -29,7 +29,7 @@ ansible.builtin.yum_repository: name: nginx-app-protect-security-updates description: NGINX App Protect WAF security updates repository - baseurl: "{{ nginx_app_protect_waf_security_updates_repository | default(lookup('vars', 'nginx_app_protect_waf_security_updates_default_repository_' + ((ansible_distribution == 'Amazon') | ternary('amazon', 'redhat')))) }}" + baseurl: "{{ nginx_app_protect_waf_security_updates_repository | default(lookup('vars', 'nginx_app_protect_waf_security_updates_default_repository_' + ((ansible_facts['distribution'] == 'Amazon') | ternary('amazon', 'redhat')))) }}" sslclientcert: /etc/ssl/nginx/nginx-repo.crt sslclientkey: /etc/ssl/nginx/nginx-repo.key enabled: true diff --git a/vars/main.yml b/vars/main.yml index f747a34..8687ff7 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -14,7 +14,7 @@ nginx_app_protect_waf_state: "{{ nginx_app_protect_state_vals[nginx_app_protect_ nginx_app_protect_dos_default_setup: install nginx_app_protect_dos_state: "{{ nginx_app_protect_state_vals[nginx_app_protect_dos_setup] | default(nginx_app_protect_state_vals[nginx_app_protect_dos_default_setup]) }}" -# NGINX App Protect WAF platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts +# Supported NGINX App Protect WAF distributions nginx_app_protect_waf_distributions: amazon: name: Amazon Linux @@ -41,7 +41,7 @@ nginx_app_protect_waf_distributions: versions: [18.04, 20.04] architectures: [x86_64] -# NGINX App Protect DoS platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts +# Supported NGINX App Protect DoS distributions nginx_app_protect_dos_distributions: alpine: name: Alpine Linux @@ -74,7 +74,7 @@ nginx_app_protect_amazon_extras: [selinux-ng] nginx_app_protect_debian_dependencies: [apt-transport-https, ca-certificates] # Red Hat dependencies -nginx_app_protect_redhat_dependencies: [ca-certificates, "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ((ansible_distribution == 'Amazon') | ternary('7', ansible_distribution_major_version)) }}.noarch.rpm"] +nginx_app_protect_redhat_dependencies: [ca-certificates, "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ((ansible_facts['distribution'] == 'Amazon') | ternary('7', ansible_facts['distribution_major_version'])) }}.noarch.rpm"] # Choose where to fetch the NGINX App Protect and Security Updates signing keys from. # Default settings are the official NGINX signing key hosts. @@ -84,22 +84,22 @@ nginx_app_protect_waf_security_updates_default_signing_key_pgp: https://cs.nginx nginx_app_protect_waf_security_updates_default_signing_key_rsa_pub: https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub # Default NGINX Plus repositories -nginx_plus_default_repository_alpine: https://pkgs.nginx.com/plus/alpine/v{{ ansible_distribution_version | regex_search('^[0-9]+\.[0-9]+') }}/main +nginx_plus_default_repository_alpine: https://pkgs.nginx.com/plus/alpine/v{{ ansible_facts['distribution_version'] | regex_search('^[0-9]+\.[0-9]+') }}/main nginx_plus_default_repository_amazon: https://pkgs.nginx.com/plus/amzn{{ (ansible_facts['distribution_major_version'] is version('2', '==')) | ternary('2', '') }}/$releasever/$basearch nginx_plus_default_repository_debian: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/plus/{{ ansible_facts['distribution'] | lower }} {{ ansible_facts['distribution_release'] }} nginx-plus -nginx_plus_default_repository_redhat: https://pkgs.nginx.com/plus/centos/{{ ansible_distribution_major_version }}/$basearch/ +nginx_plus_default_repository_redhat: https://pkgs.nginx.com/plus/centos/{{ ansible_facts['distribution_major_version'] }}/$basearch/ # Default NGINX App Protect WAF repositories nginx_app_protect_waf_default_repository_amazon: https://pkgs.nginx.com/app-protect/centos/7/$basearch/ -nginx_app_protect_waf_default_repository_debian: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus -nginx_app_protect_waf_default_repository_redhat: https://pkgs.nginx.com/app-protect/centos/{{ ansible_distribution_major_version }}/$basearch/ +nginx_app_protect_waf_default_repository_debian: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect/{{ ansible_facts['distribution'] | lower }} {{ ansible_distribution_release }} nginx-plus +nginx_app_protect_waf_default_repository_redhat: https://pkgs.nginx.com/app-protect/centos/{{ ansible_facts['distribution_major_version'] }}/$basearch/ # Default NGINX App Protect WAF Security Updates repositories nginx_app_protect_waf_security_updates_default_repository_amazon: https://pkgs.nginx.com/app-protect-security-updates/centos/7/$basearch/ -nginx_app_protect_waf_security_updates_default_repository_debian: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-security-updates/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus -nginx_app_protect_waf_security_updates_default_repository_redhat: https://pkgs.nginx.com/app-protect-security-updates/centos/{{ ansible_distribution_major_version }}/$basearch/ +nginx_app_protect_waf_security_updates_default_repository_debian: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-security-updates/{{ ansible_facts['distribution'] | lower }} {{ ansible_distribution_release }} nginx-plus +nginx_app_protect_waf_security_updates_default_repository_redhat: https://pkgs.nginx.com/app-protect-security-updates/centos/{{ ansible_facts['distribution_major_version'] }}/$basearch/ # Default NGINX App Protect DoS repositories -nginx_app_protect_dos_default_repository_alpine: https://pkgs.nginx.com/app-protect-dos/alpine/v{{ ansible_distribution_version | regex_search('^[0-9]+\.[0-9]+') }}/main -nginx_app_protect_dos_default_repository_debian: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} nginx-plus -nginx_app_protect_dos_default_repository_redhat: https://pkgs.nginx.com/app-protect-dos/centos/{{ ansible_distribution_major_version }}/$basearch/ +nginx_app_protect_dos_default_repository_alpine: https://pkgs.nginx.com/app-protect-dos/alpine/v{{ ansible_facts['distribution_version'] | regex_search('^[0-9]+\.[0-9]+') }}/main +nginx_app_protect_dos_default_repository_debian: deb [arch=amd64 signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/app-protect-dos/{{ ansible_facts['distribution'] | lower }} {{ ansible_distribution_release }} nginx-plus +nginx_app_protect_dos_default_repository_redhat: https://pkgs.nginx.com/app-protect-dos/centos/{{ ansible_facts['distribution_major_version'] }}/$basearch/