Skip to content
Permalink
Browse files

Don't use 'hostname' as a substitute "DNS domain"

  • Loading branch information...
drybjed committed Aug 9, 2019
1 parent d4778f0 commit 59a717d0a796facd6cc34ff0a260629dafbba82c
Showing with 43 additions and 39 deletions.
  1. +6 −0 CHANGELOG.rst
  2. +1 −1 ansible/roles/debops-contrib.foodsoft/defaults/main.yml
  3. +1 −1 ansible/roles/debops-contrib.homeassistant/defaults/main.yml
  4. +1 −1 ansible/roles/debops-contrib.volkszaehler/defaults/main.yml
  5. +1 −1 ansible/roles/debops.apache/defaults/main.yml
  6. +1 −1 ansible/roles/debops.core/defaults/main.yml
  7. +1 −1 ansible/roles/debops.dhcp_probe/defaults/main.yml
  8. +1 −1 ansible/roles/debops.dnsmasq/defaults/main.yml
  9. +1 −1 ansible/roles/debops.docker_registry/defaults/main.yml
  10. +1 −1 ansible/roles/debops.elasticsearch/defaults/main.yml
  11. +1 −1 ansible/roles/debops.etc_aliases/defaults/main.yml
  12. +1 −1 ansible/roles/debops.gitlab/defaults/main.yml
  13. +1 −1 ansible/roles/debops.gitlab_runner/defaults/main.yml
  14. +1 −1 ansible/roles/debops.icinga/defaults/main.yml
  15. +1 −1 ansible/roles/debops.icinga_web/defaults/main.yml
  16. +1 −1 ansible/roles/debops.kibana/defaults/main.yml
  17. +1 −1 ansible/roles/debops.ldap/defaults/main.yml
  18. +1 −1 ansible/roles/debops.librenms/defaults/main.yml
  19. +1 −3 ansible/roles/debops.lxc/defaults/main.yml
  20. +1 −1 ansible/roles/debops.mailman/defaults/main.yml
  21. +1 −1 ansible/roles/debops.monit/defaults/main.yml
  22. +1 −1 ansible/roles/debops.mosquitto/defaults/main.yml
  23. +1 −1 ansible/roles/debops.netbox/defaults/main.yml
  24. +1 −1 ansible/roles/debops.nginx/defaults/main.yml
  25. +1 −1 ansible/roles/debops.nullmailer/defaults/main.yml
  26. +1 −1 ansible/roles/debops.opendkim/defaults/main.yml
  27. +1 −1 ansible/roles/debops.owncloud/defaults/main.yml
  28. +1 −1 ansible/roles/debops.postfix/defaults/main.yml
  29. +1 −1 ansible/roles/debops.prosody/defaults/main.yml
  30. +1 −1 ansible/roles/debops.rabbitmq_management/defaults/main.yml
  31. +1 −1 ansible/roles/debops.redis_sentinel/defaults/main.yml
  32. +1 −1 ansible/roles/debops.redis_server/defaults/main.yml
  33. +1 −1 ansible/roles/debops.rstudio_server/defaults/main.yml
  34. +1 −1 ansible/roles/debops.rsyslog/defaults/main.yml
  35. +1 −1 ansible/roles/debops.secret/defaults/main.yml
  36. +1 −1 ansible/roles/debops.slapd/defaults/main.yml
  37. +2 −2 ansible/roles/debops.sshd/defaults/main.yml
@@ -199,6 +199,12 @@ General
- The DebOps documentation generator now supports Ansible roles with multiple
:file:`defaults/main/*.yml` files.

- Various DebOps roles will no longer use the hostname as a stand-in for an
empty DNS domain when no DNS domain is detected - this resulted in the
"standalone" hosts without a DNS domain to be misconfigured. Existing setups
with a DNS domain shouldn't be affected, but configuration of standalone
hosts that deploy webservices might require modifications.

User management
'''''''''''''''

@@ -80,7 +80,7 @@ foodsoft__fqdn: 'foodsoft.{{ foodsoft__domain }}'
foodsoft__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# Database configuration [[[
@@ -113,7 +113,7 @@ homeassistant__fqdn: 'ha.{{ homeassistant__domain }}'
homeassistant__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# Reverse proxy configuration [[[
@@ -73,7 +73,7 @@ volkszaehler__fqdn: 'vz.{{ volkszaehler__domain }}'
volkszaehler__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# Database configuration [[[
@@ -89,7 +89,7 @@ apache__fqdn: '{{ ansible_local.core.fqdn
apache__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: apache__config_path [[[
@@ -211,7 +211,7 @@ core__distribution_release: '{{ ansible_lsb.codename
#
# The default host domain which can be used by the other roles to configure
# network services.
core__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
core__domain: '{{ ansible_domain }}'

# ]]]
# .. envvar:: core__fqdn [[[
@@ -123,7 +123,7 @@ dhcp_probe__options: ''
dhcp_probe__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: dhcp_probe__mail_from [[[
@@ -93,7 +93,7 @@ dnsmasq__hostname: '{{ ansible_hostname }}'
dnsmasq__base_domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: dnsmasq__base_domain_rebind_ok [[[
@@ -178,7 +178,7 @@ docker_registry__fqdn: 'registry.{{ docker_registry__domain }}'
docker_registry__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: docker_registry__backend_port [[[
@@ -161,7 +161,7 @@ elasticsearch__transport_tcp_port: '9300'
elasticsearch__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: elasticsearch__cluster_name [[[
@@ -38,7 +38,7 @@ etc_aliases__admin_private_email: '{{ ansible_local.core.admin_private_email
etc_aliases__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# Local mail aliases and their recipients [[[
@@ -126,7 +126,7 @@ gitlab__fqdn: 'code.{{ gitlab_domain }}'
gitlab_domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'
# ]]]
# ]]]
# APT packages [[[
@@ -123,7 +123,7 @@ gitlab_runner__concurrent: '{{ ansible_processor_vcpus
# .. envvar:: gitlab_runner__domain [[[
#
# The default domain used in different places of the role.
gitlab_runner__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
gitlab_runner__domain: '{{ ansible_domain }}'

# ]]]
# .. envvar:: gitlab_runner__fqdn [[[
@@ -128,7 +128,7 @@ icinga__fqdn: '{{ ansible_local.core.fqdn
icinga__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: icinga__master_nodes [[[
@@ -70,7 +70,7 @@ icinga_web__fqdn: 'icinga.{{ icinga_web__domain }}'
icinga_web__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: icinga_web__node_fqdn [[[
@@ -71,7 +71,7 @@ kibana__fqdn: 'kibana.{{ kibana__domain }}'
kibana__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: kibana__webserver_access_policy [[[
@@ -79,7 +79,7 @@ ldap__packages: []
ldap__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: ldap__servers_srv_rr [[[
@@ -61,7 +61,7 @@ librenms__fqdn: 'nms.{{ librenms__domain }}'
librenms__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: librenms__base_url [[[
@@ -161,9 +161,7 @@ lxc__net_domain: '{{ ansible_local.lxc.net_domain
if (ansible_local|d() and
ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain
if ansible_domain
else ansible_hostname))) }}'
else ansible_domain)) }}'

# ]]]
# .. envvar:: lxc__net_interface_fqdn [[[
@@ -54,7 +54,7 @@ mailman__fqdn: '{{ ansible_fqdn }}'
# .. envvar:: mailman__domain [[[
#
# A DNS domain name of the host that manages the default mailing lists.
mailman__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
mailman__domain: '{{ ansible_domain }}'

# ]]]
# .. envvar:: mailman__site_domain [[[
@@ -44,7 +44,7 @@ monit__fqdn: '{{ ansible_local.core.fqdn
monit__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: monit__check_interval [[[
@@ -176,7 +176,7 @@ mosquitto__fqdn: 'mqtt.{{ mosquitto__domain }}'
mosquitto__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: mosquitto__http_dir_path [[[
@@ -27,7 +27,7 @@ netbox__fqdn: [ 'dcim.{{ netbox__domain }}', 'ipam.{{ netbox__domain }}' ]
netbox__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# ]]]
@@ -707,7 +707,7 @@ nginx_acme_domain: 'acme.{{ ansible_domain }}'
nginx__hostname_domains: [ '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}' ]
else ansible_domain }}' ]

# ]]]
# .. envvar:: nginx_status [[[
@@ -88,7 +88,7 @@ nullmailer__fqdn: '{{ ansible_fqdn }}'
# .. envvar:: nullmailer__domain [[[
#
# The default DNS domain used in different configuration variables of the role.
nullmailer__domain: '{{ ansible_domain if ansible_domain|d() else ansible_hostname }}'
nullmailer__domain: '{{ ansible_domain }}'

# ]]]
# .. envvar:: nullmailer__adminaddr [[[
@@ -91,7 +91,7 @@ opendkim__socket: '{{ "/var/spool/postfix/opendkim/opendkim.sock"
opendkim__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: opendkim__fqdn [[[
@@ -760,7 +760,7 @@ owncloud__fqdn: 'cloud.{{ owncloud__domain }}'
owncloud__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'


# .. envvar:: owncloud__upload_size
@@ -81,7 +81,7 @@ postfix__fqdn: '{{ ansible_local.core.fqdn
postfix__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: postfix__relayhost [[[
@@ -113,7 +113,7 @@ prosody__deploy_state: "present"
prosody__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: prosody__admins [[[
@@ -46,7 +46,7 @@ rabbitmq_management__fqdn: 'rabbitmq.{{ rabbitmq_management__domain }}'
rabbitmq_management__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: rabbitmq_management__webserver_allow [[[
@@ -68,7 +68,7 @@ redis_sentinel__auth_group: 'redis-auth'
redis_sentinel__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: redis_sentinel__auth_password [[[
@@ -68,7 +68,7 @@ redis_server__auth_group: 'redis-auth'
redis_server__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: redis_server__auth_password [[[
@@ -234,7 +234,7 @@ rstudio_server__fqdn: 'rstudio.{{ rstudio_server__domain }}'
rstudio_server__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: rstudio_server__upload_size [[[
@@ -240,7 +240,7 @@ rsyslog__send_over_tls_only: False
# .. envvar:: rsyslog__domain [[[
#
# The default DNS domain used to accept remote incoming logs from remote hosts.
rsyslog__domain: '{{ ansible_domain if ansible_domain else ansible_hostname }}'
rsyslog__domain: '{{ ansible_domain }}'

# ]]]
# .. envvar:: rsyslog__permitted_peers [[[
@@ -72,7 +72,7 @@ secret__no_log: True
secret__ldap_domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: secret__ldap_fqdn [[[
@@ -177,7 +177,7 @@ slapd__log_dir: '/var/log/slapd'
slapd__domain: '{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

# ]]]
# .. envvar:: slapd__base_dn [[[
@@ -852,7 +852,7 @@ sshd__pam_access__dependent_rules:
origins: '.{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

- name: 'deny-root'
comment: 'Deny access to root account via SSH from anywhere else'
@@ -891,7 +891,7 @@ sshd__pam_access__dependent_rules:
origins: '.{{ ansible_local.core.domain
if (ansible_local|d() and ansible_local.core|d() and
ansible_local.core.domain|d())
else (ansible_domain if ansible_domain else ansible_hostname) }}'
else ansible_domain }}'

- name: 'deny-all'
comment: 'Deny access via SSH by anyone from anywhere'

0 comments on commit 59a717d

Please sign in to comment.
You can’t perform that action at this time.