diff --git a/.github/workflows/ce-provision-publish-docs.yml b/.github/workflows/ce-provision-publish-docs.yml index b87f9afe5..232a71d99 100644 --- a/.github/workflows/ce-provision-publish-docs.yml +++ b/.github/workflows/ce-provision-publish-docs.yml @@ -58,6 +58,8 @@ jobs: # First build and publish the markdown docs - name: Build and commit table of contents and README files back to the repo run: | + /usr/bin/git fetch origin 2.x + /usr/bin/git merge origin/${{ github.event.pull_request.base.ref }} --allow-unrelated-histories /bin/sh contribute/toc.sh /usr/bin/find . -name "*.md" | xargs git add /usr/bin/git diff --staged --quiet || /usr/bin/git commit -am "GitHub Actions - updating markdown docs - ${{ github.event.repository.updated_at }}" diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md index f802c46a2..8cf21ccce 100644 --- a/docs/roles/aws/aws_acl.md +++ b/docs/roles/aws/aws_acl.md @@ -19,29 +19,37 @@ aws_acl: rate_limit: value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking priority: 2 # can be float with 1 decimal place - ip_sets: - - rule_name: "Allowed-IPs-rule" - set_name: "Allowed-IPs-set" - description: "List of IPs to whitelist - Ansible managed" - action: allow - priority: 1 - list: - - 1.1.1.1/32 - - 2.2.2.2/32 - country_codes: - - name: "allowed-countries" - action: allow - priority: 0.2 - list: - - GB - - HR - - name: "blocked-countries" - action: block - priority: 8 - list: - - RU - - CN + ip_sets: [] +# Example IP set to allow a list of safe IPs +# - rule_name: "Allowed-IPs-rule" +# set_name: "Allowed-IPs-set" +# description: "List of IPs to safelist - Ansible managed" +# action: allow +# priority: 1 +# list: +# - 1.1.1.1/32 +# - 2.2.2.2/32 +# - 30.30.30.0/24 +# Example country code ruleset allowing one set of countries and blocking another +# country_codes: +# - name: "allowed-countries" +# action: allow +# priority: 0.2 +# list: +# - GB +# - HR +# - FR +# - ES +# - UY +# - JP +# - name: "blocked-countries" +# action: block +# priority: 8 +# list: +# - RU +# - CN regular_rules: + # Commonly required Drupal rule to allow Panels to function - name: allow_panels action: allow statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) diff --git a/docs/roles/aws/aws_credentials.md b/docs/roles/aws/aws_credentials.md index feee7956b..1ebd66959 100644 --- a/docs/roles/aws/aws_credentials.md +++ b/docs/roles/aws/aws_credentials.md @@ -12,7 +12,7 @@ Simple role generating credentials "profiles" in users $HOME/.aws/credentials. aws_credentials: - user: ce-dev profiles: - - name: profile1 + - name: profile1 # profiles should never contain hyphens access_key_id: XXX secret_access_key: XXXX - name: example diff --git a/docs/roles/aws/aws_provision_ec2_keypair.md b/docs/roles/aws/aws_provision_ec2_keypair.md index 5267a111c..2a9bc39ae 100644 --- a/docs/roles/aws/aws_provision_ec2_keypair.md +++ b/docs/roles/aws/aws_provision_ec2_keypair.md @@ -10,7 +10,8 @@ Creates a key pair for the current "provision user" aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" + key_name: "{{ _ce_provision_username }}@{{ ansible_hostname }}" + key_type: ed25519 # defaults to ed25519 as used in the ce_provision role, set to rsa to or ecdsa as necessary ``` diff --git a/docs/roles/debian/gitlab.md b/docs/roles/debian/gitlab.md index f4b11638b..de9001f30 100644 --- a/docs/roles/debian/gitlab.md +++ b/docs/roles/debian/gitlab.md @@ -24,14 +24,15 @@ gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" + force_stop: true # whether to stop GitLab to reconfigure or not # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary gitlab_route_53: state: present zone: "" # empty zone skips DNS creation - record: "{{ _domain_name }}" - type: A # change to CNAME if required - value: 1.2.3.4 # set IP if type: A and target hostname if type: CNAME + record: "gitlab.{{ _domain_name }}" + type: CNAME # change to A if required + value: "{{ _domain_name }}" # set IP if type: A and target hostname if type: CNAME aws_profile: another # Not necessarily the same as the "target" one for the server wildcard: true # Creates a matching wildcard CNAME letsencrypt: "true" # use built-in GitLab LetsEncrypt support by default letsencrypt: "true" # GitLab's built in SSL handling enabled by default @@ -90,10 +91,10 @@ gitlab: omniauth_auto_link_saml_user: "false" omniauth_block_auto_created_users: "true" omniauth_login_button_label: "Login with SAML" - omniauth_consumer_service_url: "https://{{ _domain_name }}/users/auth/saml/callback" + omniauth_consumer_service_url: "https://gitlab.{{ _domain_name }}/users/auth/saml/callback" omniauth_saml_cert_fingerprint: "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" # fingerprint of the SAML server's certificate omniauth_saml_endpoint_url: https://login.example.com/simplesaml/saml2/idp/SSOService.php # typical endpoint if you followed the SimpleSAMLphp QuickStart - https://simplesamlphp.org/docs/stable/simplesamlphp-idp.html - omniauth_saml_entity_id: "{{ _domain_name }}" # can be any string, typically just the domain name + omniauth_saml_entity_id: "gitlab.{{ _domain_name }}" # can be any string, typically just the domain name omniauth_saml_attribute_statements: "uid: ['uid']" # typical basic set-up if your SAML authsource is OpenLDAP # Other services prometheus: "true" # enable/disable built-in Prometheus diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md index 3dbfc823e..de013688e 100644 --- a/roles/aws/aws_acl/README.md +++ b/roles/aws/aws_acl/README.md @@ -74,6 +74,7 @@ aws_acl: # - RU # - CN regular_rules: + # Commonly required Drupal rule to allow Panels to function - name: allow_panels action: allow statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements) diff --git a/roles/aws/aws_credentials/README.md b/roles/aws/aws_credentials/README.md index feee7956b..1ebd66959 100644 --- a/roles/aws/aws_credentials/README.md +++ b/roles/aws/aws_credentials/README.md @@ -12,7 +12,7 @@ Simple role generating credentials "profiles" in users $HOME/.aws/credentials. aws_credentials: - user: ce-dev profiles: - - name: profile1 + - name: profile1 # profiles should never contain hyphens access_key_id: XXX secret_access_key: XXXX - name: example diff --git a/roles/aws/aws_provision_ec2_keypair/README.md b/roles/aws/aws_provision_ec2_keypair/README.md index 5267a111c..2a9bc39ae 100644 --- a/roles/aws/aws_provision_ec2_keypair/README.md +++ b/roles/aws/aws_provision_ec2_keypair/README.md @@ -10,7 +10,8 @@ Creates a key pair for the current "provision user" aws_provision_ec2_keypair: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" + key_name: "{{ _ce_provision_username }}@{{ ansible_hostname }}" + key_type: ed25519 # defaults to ed25519 as used in the ce_provision role, set to rsa to or ecdsa as necessary ``` diff --git a/roles/debian/gitlab/README.md b/roles/debian/gitlab/README.md index f4b11638b..de9001f30 100644 --- a/roles/debian/gitlab/README.md +++ b/roles/debian/gitlab/README.md @@ -24,14 +24,15 @@ gitlab: apt_origin: "origin=packages.gitlab.com/gitlab/gitlab-ce,codename=${distro_codename},label=gitlab-ce" # used by apt_unattended_upgrades apt_signed_by: https://packages.gitlab.com/gitlab/gitlab-ce/gpgkey server_name: "gitlab.{{ _domain_name }}" + force_stop: true # whether to stop GitLab to reconfigure or not # Add a record for GitLab in AWS Route 53 # If you use the aws_ec2_with_eip role to create your server this will not be necessary gitlab_route_53: state: present zone: "" # empty zone skips DNS creation - record: "{{ _domain_name }}" - type: A # change to CNAME if required - value: 1.2.3.4 # set IP if type: A and target hostname if type: CNAME + record: "gitlab.{{ _domain_name }}" + type: CNAME # change to A if required + value: "{{ _domain_name }}" # set IP if type: A and target hostname if type: CNAME aws_profile: another # Not necessarily the same as the "target" one for the server wildcard: true # Creates a matching wildcard CNAME letsencrypt: "true" # use built-in GitLab LetsEncrypt support by default letsencrypt: "true" # GitLab's built in SSL handling enabled by default @@ -90,10 +91,10 @@ gitlab: omniauth_auto_link_saml_user: "false" omniauth_block_auto_created_users: "true" omniauth_login_button_label: "Login with SAML" - omniauth_consumer_service_url: "https://{{ _domain_name }}/users/auth/saml/callback" + omniauth_consumer_service_url: "https://gitlab.{{ _domain_name }}/users/auth/saml/callback" omniauth_saml_cert_fingerprint: "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" # fingerprint of the SAML server's certificate omniauth_saml_endpoint_url: https://login.example.com/simplesaml/saml2/idp/SSOService.php # typical endpoint if you followed the SimpleSAMLphp QuickStart - https://simplesamlphp.org/docs/stable/simplesamlphp-idp.html - omniauth_saml_entity_id: "{{ _domain_name }}" # can be any string, typically just the domain name + omniauth_saml_entity_id: "gitlab.{{ _domain_name }}" # can be any string, typically just the domain name omniauth_saml_attribute_statements: "uid: ['uid']" # typical basic set-up if your SAML authsource is OpenLDAP # Other services prometheus: "true" # enable/disable built-in Prometheus