⬆️ Change whitelist to allowlist (#118)

anarion80 · May 1, 2024 · ca41962 · ca41962
1 parent 96eb30f
commit ca41962
Show file tree

Hide file tree

Showing 10 changed files with 31 additions and 31 deletions.
diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml
@@ -40,9 +40,9 @@
           traefik.http.routers.authelia.tls.certresolver: "letsencrypt"
           traefik.http.routers.authelia.tls.domains[0].main: "{{ ansible_nas_domain }}"
           traefik.http.routers.authelia.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
-          traefik.http.routers.authelia.middlewares: "authelia-whitelist"
-          traefik.http.middlewares.authelia-whitelist.ipwhitelist.ipstrategy.depth: "1"
-          traefik.http.middlewares.authelia-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
+          traefik.http.routers.authelia.middlewares: "authelia-allowlist"
+          traefik.http.middlewares.authelia-allowlist.IPAllowList.ipstrategy.depth: "1"
+          traefik.http.middlewares.authelia-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
           traefik.http.middlewares.authelia.forwardauth.address: "http://authelia:9091/api/verify?rd=https://{{ authelia_hostname }}.{{ ansible_nas_domain }}"  # yamllint disable-line rule:line-length
           traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true"
           traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email"  # yamllint disable-line rule:line-length

diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
@@ -116,9 +116,9 @@
           traefik.http.routers.authentik.tls.certresolver: "letsencrypt"
           traefik.http.routers.authentik.tls.domains[0].main: "{{ ansible_nas_domain }}"
           traefik.http.routers.authentik.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
-          traefik.http.middlewares.authentik-whitelist.ipwhitelist.ipstrategy.depth: "1"
-          traefik.http.middlewares.authentik-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
-          traefik.http.routers.authentik.middlewares: "authentik-whitelist"
+          traefik.http.middlewares.authentik-allowlist.IPAllowList.ipstrategy.depth: "1"
+          traefik.http.middlewares.authentik-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
+          traefik.http.routers.authentik.middlewares: "authentik-allowlist"
           traefik.http.services.authentik.loadbalancer.server.port: "9000"
         restart_policy: unless-stopped
         memory: "{{ authentik_server_memory }}"

diff --git a/roles/barcodebuddy/tasks/main.yml b/roles/barcodebuddy/tasks/main.yml
@@ -37,9 +37,9 @@
           traefik.http.routers.barcodebuddy.tls.certresolver: "letsencrypt"
           traefik.http.routers.barcodebuddy.tls.domains[0].main: "{{ ansible_nas_domain }}"
           traefik.http.routers.barcodebuddy.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
-          traefik.http.middlewares.barcodebuddy-whitelist.ipwhitelist.ipstrategy.depth: "1"
-          traefik.http.middlewares.barcodebuddy-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
-          traefik.http.routers.barcodebuddy.middlewares: "barcodebuddy-whitelist"
+          traefik.http.middlewares.barcodebuddy-allowlist.IPAllowList.ipstrategy.depth: "1"
+          traefik.http.middlewares.barcodebuddy-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
+          traefik.http.routers.barcodebuddy.middlewares: "barcodebuddy-allowlist"
           traefik.http.services.barcodebuddy.loadbalancer.server.port: "80"
         restart_policy: unless-stopped
         memory: "{{ barcodebuddy_memory }}"

diff --git a/roles/flame/tasks/main.yml b/roles/flame/tasks/main.yml
@@ -26,9 +26,9 @@
           traefik.http.routers.flame.tls.certresolver: "letsencrypt"
           traefik.http.routers.flame.tls.domains[0].main: "{{ ansible_nas_domain }}"
           traefik.http.routers.flame.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
-          traefik.http.middlewares.flame-whitelist.ipwhitelist.ipstrategy.depth: "1"
-          traefik.http.middlewares.flame-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
-          traefik.http.routers.flame.middlewares: "flame-whitelist"
+          traefik.http.middlewares.flame-allowlist.IPAllowList.ipstrategy.depth: "1"
+          traefik.http.middlewares.flame-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
+          traefik.http.routers.flame.middlewares: "flame-allowlist"
           traefik.http.services.flame.loadbalancer.server.port: "5005"
         restart_policy: unless-stopped
         memory: "{{ flame_memory }}"

diff --git a/roles/grocy/tasks/main.yml b/roles/grocy/tasks/main.yml
@@ -27,9 +27,9 @@
           traefik.http.routers.grocy.tls.certresolver: "letsencrypt"
           traefik.http.routers.grocy.tls.domains[0].main: "{{ ansible_nas_domain }}"
           traefik.http.routers.grocy.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
-          traefik.http.middlewares.grocy-whitelist.ipwhitelist.ipstrategy.depth: "1"
-          traefik.http.middlewares.grocy-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
-          traefik.http.routers.grocy.middlewares: "grocy-whitelist"
+          traefik.http.middlewares.grocy-allowlist.IPAllowList.ipstrategy.depth: "1"
+          traefik.http.middlewares.grocy-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
+          traefik.http.routers.grocy.middlewares: "grocy-allowlist"
           traefik.http.services.grocy.loadbalancer.server.port: "80"
         restart_policy: unless-stopped
         memory: "{{ grocy_memory }}"

diff --git a/roles/portainer/defaults/main.yml b/roles/portainer/defaults/main.yml
@@ -8,7 +8,7 @@ portainer_data_directory: "{{ docker_home }}/portainer/config"
 # network
 portainer_port: "9000"
 portainer_hostname: "portainer"
-portainer_ip_whitelist: "0.0.0.0/0"
+portainer_ip_allowlist: "0.0.0.0/0"
 
 # docker
 portainer_container_name: "portainer"

diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml
@@ -28,8 +28,8 @@
           traefik.http.routers.portainer.tls.domains[0].main: "{{ ansible_nas_domain }}"
           traefik.http.routers.portainer.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
           traefik.http.services.portainer.loadbalancer.server.port: "9443"
-          traefik.http.routers.portainer.middlewares: "portainer-ipwhitelist@docker"
-          traefik.http.middlewares.portainer-ipwhitelist.ipwhitelist.sourcerange: "{{ portainer_ip_whitelist }}"
+          traefik.http.routers.portainer.middlewares: "portainer-IPAllowList@docker"
+          traefik.http.middlewares.portainer-IPAllowList.IPAllowList.sourcerange: "{{ portainer_ip_allowlist }}"
   when: portainer_enabled is true
 
 - name: Stop Portainer

diff --git a/roles/stats/tasks/influxdb.yml b/roles/stats/tasks/influxdb.yml
@@ -43,9 +43,9 @@
           traefik.http.routers.influxdb.tls.domains[0].main: "{{ ansible_nas_domain }}"
           traefik.http.routers.influxdb.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
           traefik.http.services.influxdb.loadbalancer.server.port: "8086"
-          traefik.http.middlewares.influxdb-whitelist.ipwhitelist.ipstrategy.depth: "0"
-          traefik.http.middlewares.influxdb-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
-          traefik.http.routers.influxdb.middlewares: "influxdb-whitelist,influxdb-header"
+          traefik.http.middlewares.influxdb-allowlist.IPAllowList.ipstrategy.depth: "0"
+          traefik.http.middlewares.influxdb-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16"
+          traefik.http.routers.influxdb.middlewares: "influxdb-allowlist,influxdb-header"
           traefik.http.middlewares.influx-redirect.redirectScheme.scheme: "https"
           traefik.http.middlewares.influxdb-header.headers.forceSTSHeader: "true"
           traefik.http.middlewares.influxdb-header.headers.accesscontrolalloworiginlist: "https://{{ stats_influxdb_hostname }}.{{ ansible_nas_domain }}"

diff --git a/roles/vaultwarden/defaults/main.yml b/roles/vaultwarden/defaults/main.yml
@@ -9,7 +9,7 @@ vaultwarden_data_directory: "{{ docker_home }}/vaultwarden"
 vaultwarden_port_a: "19080"
 vaultwarden_port_b: "3012"
 vaultwarden_hostname: "vaultwarden"
-vaultwarden_ip_whitelist: "0.0.0.0/0"
+vaultwarden_ip_allowlist: "0.0.0.0/0"
 
 # specs
 vaultwarden_memory: 1g

diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml
@@ -27,20 +27,20 @@
         labels:
           traefik.enable: "{{ vaultwarden_available_externally | string }}"
           traefik.http.routers.vaultwarden.rule: "Host(`{{ vaultwarden_hostname }}.{{ ansible_nas_domain }}`)"
-          # traefik.http.routers.vaultwarden.tls.certresolver: "letsencrypt"
-          # traefik.http.routers.vaultwarden.tls.domains[0].main: "{{ ansible_nas_domain }}"
-          # traefik.http.routers.vaultwarden.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
+          traefik.http.routers.vaultwarden.tls.certresolver: "letsencrypt"
+          traefik.http.routers.vaultwarden.tls.domains[0].main: "{{ ansible_nas_domain }}"
+          traefik.http.routers.vaultwarden.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
           traefik.http.routers.vaultwarden.service: "vaultwarden"
-          traefik.http.routers.vaultwarden.middlewares: "vaultwarden-ipwhitelist@docker"
+          traefik.http.routers.vaultwarden.middlewares: "vaultwarden-IPAllowList@docker"
           traefik.http.services.vaultwarden.loadbalancer.server.port: "80"
           traefik.http.routers.vaultwarden-ws.rule: "Host(`{{ vaultwarden_hostname }}.{{ ansible_nas_domain }}`) && Path(`/notifications/hub`)"
-          # traefik.http.routers.vaultwarden-ws.tls.certresolver: "letsencrypt"
-          # traefik.http.routers.vaultwarden-ws.tls.domains[0].main: "{{ ansible_nas_domain }}"
-          # traefik.http.routers.vaultwarden-ws.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
+          traefik.http.routers.vaultwarden-ws.tls.certresolver: "letsencrypt"
+          traefik.http.routers.vaultwarden-ws.tls.domains[0].main: "{{ ansible_nas_domain }}"
+          traefik.http.routers.vaultwarden-ws.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
           traefik.http.routers.vaultwarden-ws.service: "vaultwarden-ws"
-          traefik.http.routers.vaultwarden-ws.middlewares: "vaultwarden-ipwhitelist@docker"
+          traefik.http.routers.vaultwarden-ws.middlewares: "vaultwarden-IPAllowList@docker"
           traefik.http.services.vaultwarden-ws.loadbalancer.server.port: "3012"
-          traefik.http.middlewares.vaultwarden-ipwhitelist.ipwhitelist.sourcerange: "{{ vaultwarden_ip_whitelist }}"
+          traefik.http.middlewares.vaultwarden-IPAllowList.IPAllowList.sourcerange: "{{ vaultwarden_ip_allowlist }}"
         restart_policy: unless-stopped
         memory: "{{ vaultwarden_memory }}"