Skip to content

Commit

Permalink
fix(nginx): Sort lists to prevent config diff when order changes
Browse files Browse the repository at this point in the history 
(cherry picked from commit b8811b5)
  • Loading branch information
@ypid @drybjed
ypid authored and drybjed committed Jan 10, 2023
1 parent b8325da commit 1fc4f3a
Show file tree
Hide file tree
Showing 6 changed files with 28 additions and 22 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,12 @@ General
Ansible ``user`` module that forbids use of :file:`/dev/null` as home
skeleton.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- Lists in different configuration templates are sorted to ensure stable order
of elements and prevent random changes in order on subsequent role runs.

:ref:`debops.proc_hidepid` role
'''''''''''''''''''''''''''''''

Expand Down
2 changes: 1 addition & 1 deletion ansible/roles/nginx/templates/etc/nginx/conf.d/upstream_default.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ upstream {{ item.name }} {
server 127.0.0.1{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
{% else %}
{% if host in play_hosts and hostvars[host].ansible_all_ipv4_addresses is defined %}
{% for address in hostvars[host].ansible_all_ipv4_addresses | unique %}
{% for address in hostvars[host].ansible_all_ipv4_addresses | unique | sort %}
server {{ address }}{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
{% endfor %}
{% else %}
Expand Down
2 changes: 1 addition & 1 deletion ansible/roles/nginx/templates/etc/nginx/conf.d/upstream_rails.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ upstream {{ item.name }} {
server 127.0.0.1{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
{% else %}
{% if host in play_hosts and hostvars[host].ansible_all_ipv4_addresses is defined %}
{% for address in hostvars[host].ansible_all_ipv4_addresses | unique %}
{% for address in hostvars[host].ansible_all_ipv4_addresses | unique | sort %}
server {{ address }}{% if item.port is defined and item.port %}:{{ item.port }}{% endif %}{% if item.enabled is defined and not item.enabled %} down{% endif %};
{% endfor %}
{% else %}
Expand Down
28 changes: 14 additions & 14 deletions ansible/roles/nginx/templates/etc/nginx/sites-available/default.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@
location {{ path }} {
{% if location_referers is defined %}
{% if location_referers[path] is defined and location_referers[path] %}
valid_referers none blocked {{ location_referers[path] | unique | join(' ') }};
valid_referers none blocked {{ location_referers[path] | unique | sort | join(' ') }};
if ($invalid_referer) {
return 403;
}
Expand All @@ -137,12 +137,12 @@
{{ item.location[path] | indent(16) | regex_replace("(?m)^\s*$", "") }}
{% if location_allow is defined %}
{% if location_allow[path] is defined and location_allow[path] %}
{% for address in location_allow[path] | unique %}
{% for address in location_allow[path] | unique | sort %}
allow {{ address }};
{% endfor %}
{% if location_deny is defined %}
{% if location_deny[path] is defined %}
{% for address in location_deny[path] | unique %}
{% for address in location_deny[path] | unique | sort %}
deny {{ address }};
{% endfor %}
{% endif %}
Expand Down Expand Up @@ -191,13 +191,13 @@
{% if entry.allow is string %}
allow {{ entry.allow }};
{% else %}
{% for address in entry.allow | unique %}
{% for address in entry.allow | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
{% endif %}
{% if entry.access_policy|d() and (entry.access_policy in nginx_access_policy_allow_map) %}
{% for address in nginx_access_policy_allow_map[entry.access_policy] | unique %}
{% for address in nginx_access_policy_allow_map[entry.access_policy] | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
Expand Down Expand Up @@ -357,13 +357,13 @@
{% if item.allow is string %}
allow {{ item.allow }};
{% else %}
{% for address in item.allow | unique %}
{% for address in item.allow | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
{% endif %}
{% if item.access_policy|d() and (item.access_policy in nginx_access_policy_allow_map) %}
{% for address in nginx_access_policy_allow_map[item.access_policy] | unique %}
{% for address in nginx_access_policy_allow_map[item.access_policy] | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
Expand Down Expand Up @@ -413,18 +413,18 @@
location = {{ item.status_name | default(nginx_status_name) }} {
stub_status on;
access_log off;
{% if nginx_status_localhost %}
{% for address in nginx_status_localhost | unique %}
{% if nginx_status_localhost %}
{% for address in nginx_status_localhost | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
{% if nginx_status %}
{% for address in nginx_status | unique %}
{% for address in nginx_status | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
{% if item.status|d() %}
{% for address in item.status | unique %}
{% for address in item.status | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
Expand Down Expand Up @@ -527,7 +527,7 @@ server {
listen {{ port }};
{% endfor %}

{% for address in nginx__tpl_hostnames | unique %}
{% for address in nginx__tpl_hostnames | unique | sort %}
server_name {{ address }};
{% endfor %}

Expand All @@ -543,7 +543,7 @@ server {
listen {{ port }};
{% endfor %}

{% for address in nginx__tpl_hostnames | unique %}
{% for address in nginx__tpl_hostnames | unique | sort %}
server_name {{ address + '.lxc' }};
{% endfor %}

Expand All @@ -559,7 +559,7 @@ server {
listen {{ port }};
{% endfor %}

{% for address in nginx__tpl_hostnames | unique %}
{% for address in nginx__tpl_hostnames | unique | sort %}
server_name {{ address }}.local;
{% endfor %}

Expand Down
6 changes: 3 additions & 3 deletions ansible/roles/nginx/templates/etc/nginx/sites-available/php.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@
access_log off;
{% set nginx__tpl_status_allow = [] %}
{% if nginx_status_localhost %}
{% for address in nginx_status_localhost | unique %}
{% for address in nginx_status_localhost | unique | sort %}
{% set _ = nginx__tpl_status_allow.append(address) %}
{% endfor %}
{% endif %}
{% if nginx_status %}
{% for address in nginx_status | unique %}
{% for address in nginx_status | unique | sort %}
{% set _ = nginx__tpl_status_allow.append(address) %}
{% endfor %}
{% endif %}
Expand All @@ -38,7 +38,7 @@
{% set _ = nginx__tpl_status_allow.append(address) %}
{% endfor %}
{% endif %}
{% for address in nginx__tpl_status_allow | sort | unique %}
{% for address in nginx__tpl_status_allow | unique | sort %}
allow {{ address }};
{% endfor %}
deny all;
Expand Down
6 changes: 3 additions & 3 deletions ansible/roles/nginx/templates/etc/nginx/sites-available/php5.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,17 +75,17 @@
location ~ ^/({{ item.php5_status_name | default(nginx_php5_status_name) }}|{{ item.php5_ping_name | default(nginx_php5_ping_name) }})$ {
access_log off;
{% if nginx_status_localhost %}
{% for address in nginx_status_localhost | unique %}
{% for address in nginx_status_localhost | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
{% if nginx_status %}
{% for address in nginx_status | unique %}
{% for address in nginx_status | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
{% if item.php5_status is defined and item.php5_status %}
{% for address in item.php5_status | unique %}
{% for address in item.php5_status | unique | sort %}
allow {{ address }};
{% endfor %}
{% endif %}
Expand Down

0 comments on commit 1fc4f3a

Please sign in to comment.