From ca419629826fb2df7dfa39fc9110b99066a647ed Mon Sep 17 00:00:00 2001 From: Anarion <2185791+anarion80@users.noreply.github.com> Date: Wed, 1 May 2024 10:17:09 +0200 Subject: [PATCH] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Change=20whitelist=20to=20?= =?UTF-8?q?allowlist=20(#118)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/authelia/tasks/main.yml | 6 +++--- roles/authentik/tasks/main.yml | 6 +++--- roles/barcodebuddy/tasks/main.yml | 6 +++--- roles/flame/tasks/main.yml | 6 +++--- roles/grocy/tasks/main.yml | 6 +++--- roles/portainer/defaults/main.yml | 2 +- roles/portainer/tasks/main.yml | 4 ++-- roles/stats/tasks/influxdb.yml | 6 +++--- roles/vaultwarden/defaults/main.yml | 2 +- roles/vaultwarden/tasks/main.yml | 18 +++++++++--------- 10 files changed, 31 insertions(+), 31 deletions(-) diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml index bddd6f273c..3c8e06936e 100644 --- a/roles/authelia/tasks/main.yml +++ b/roles/authelia/tasks/main.yml @@ -40,9 +40,9 @@ traefik.http.routers.authelia.tls.certresolver: "letsencrypt" traefik.http.routers.authelia.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.authelia.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" - traefik.http.routers.authelia.middlewares: "authelia-whitelist" - traefik.http.middlewares.authelia-whitelist.ipwhitelist.ipstrategy.depth: "1" - traefik.http.middlewares.authelia-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16" + traefik.http.routers.authelia.middlewares: "authelia-allowlist" + traefik.http.middlewares.authelia-allowlist.IPAllowList.ipstrategy.depth: "1" + traefik.http.middlewares.authelia-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16" traefik.http.middlewares.authelia.forwardauth.address: "http://authelia:9091/api/verify?rd=https://{{ authelia_hostname }}.{{ ansible_nas_domain }}" # yamllint disable-line rule:line-length traefik.http.middlewares.authelia.forwardauth.trustForwardHeader: "true" traefik.http.middlewares.authelia.forwardauth.authResponseHeaders: "Remote-User,Remote-Groups,Remote-Name,Remote-Email" # yamllint disable-line rule:line-length diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml index 03fd7d95cf..519ac26f10 100644 --- a/roles/authentik/tasks/main.yml +++ b/roles/authentik/tasks/main.yml @@ -116,9 +116,9 @@ traefik.http.routers.authentik.tls.certresolver: "letsencrypt" traefik.http.routers.authentik.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.authentik.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" - traefik.http.middlewares.authentik-whitelist.ipwhitelist.ipstrategy.depth: "1" - traefik.http.middlewares.authentik-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16" - traefik.http.routers.authentik.middlewares: "authentik-whitelist" + traefik.http.middlewares.authentik-allowlist.IPAllowList.ipstrategy.depth: "1" + traefik.http.middlewares.authentik-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16" + traefik.http.routers.authentik.middlewares: "authentik-allowlist" traefik.http.services.authentik.loadbalancer.server.port: "9000" restart_policy: unless-stopped memory: "{{ authentik_server_memory }}" diff --git a/roles/barcodebuddy/tasks/main.yml b/roles/barcodebuddy/tasks/main.yml index b508480791..26f4ec4968 100644 --- a/roles/barcodebuddy/tasks/main.yml +++ b/roles/barcodebuddy/tasks/main.yml @@ -37,9 +37,9 @@ traefik.http.routers.barcodebuddy.tls.certresolver: "letsencrypt" traefik.http.routers.barcodebuddy.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.barcodebuddy.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" - traefik.http.middlewares.barcodebuddy-whitelist.ipwhitelist.ipstrategy.depth: "1" - traefik.http.middlewares.barcodebuddy-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16" - traefik.http.routers.barcodebuddy.middlewares: "barcodebuddy-whitelist" + traefik.http.middlewares.barcodebuddy-allowlist.IPAllowList.ipstrategy.depth: "1" + traefik.http.middlewares.barcodebuddy-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16" + traefik.http.routers.barcodebuddy.middlewares: "barcodebuddy-allowlist" traefik.http.services.barcodebuddy.loadbalancer.server.port: "80" restart_policy: unless-stopped memory: "{{ barcodebuddy_memory }}" diff --git a/roles/flame/tasks/main.yml b/roles/flame/tasks/main.yml index 63801ab1a2..441075f674 100644 --- a/roles/flame/tasks/main.yml +++ b/roles/flame/tasks/main.yml @@ -26,9 +26,9 @@ traefik.http.routers.flame.tls.certresolver: "letsencrypt" traefik.http.routers.flame.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.flame.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" - traefik.http.middlewares.flame-whitelist.ipwhitelist.ipstrategy.depth: "1" - traefik.http.middlewares.flame-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16" - traefik.http.routers.flame.middlewares: "flame-whitelist" + traefik.http.middlewares.flame-allowlist.IPAllowList.ipstrategy.depth: "1" + traefik.http.middlewares.flame-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16" + traefik.http.routers.flame.middlewares: "flame-allowlist" traefik.http.services.flame.loadbalancer.server.port: "5005" restart_policy: unless-stopped memory: "{{ flame_memory }}" diff --git a/roles/grocy/tasks/main.yml b/roles/grocy/tasks/main.yml index 413308886d..22f90e60b8 100644 --- a/roles/grocy/tasks/main.yml +++ b/roles/grocy/tasks/main.yml @@ -27,9 +27,9 @@ traefik.http.routers.grocy.tls.certresolver: "letsencrypt" traefik.http.routers.grocy.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.grocy.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" - traefik.http.middlewares.grocy-whitelist.ipwhitelist.ipstrategy.depth: "1" - traefik.http.middlewares.grocy-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16" - traefik.http.routers.grocy.middlewares: "grocy-whitelist" + traefik.http.middlewares.grocy-allowlist.IPAllowList.ipstrategy.depth: "1" + traefik.http.middlewares.grocy-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16" + traefik.http.routers.grocy.middlewares: "grocy-allowlist" traefik.http.services.grocy.loadbalancer.server.port: "80" restart_policy: unless-stopped memory: "{{ grocy_memory }}" diff --git a/roles/portainer/defaults/main.yml b/roles/portainer/defaults/main.yml index be0522f4e1..38ae9d38d6 100644 --- a/roles/portainer/defaults/main.yml +++ b/roles/portainer/defaults/main.yml @@ -8,7 +8,7 @@ portainer_data_directory: "{{ docker_home }}/portainer/config" # network portainer_port: "9000" portainer_hostname: "portainer" -portainer_ip_whitelist: "0.0.0.0/0" +portainer_ip_allowlist: "0.0.0.0/0" # docker portainer_container_name: "portainer" diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml index e6f690cc01..ab4476bc12 100644 --- a/roles/portainer/tasks/main.yml +++ b/roles/portainer/tasks/main.yml @@ -28,8 +28,8 @@ traefik.http.routers.portainer.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.portainer.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" traefik.http.services.portainer.loadbalancer.server.port: "9443" - traefik.http.routers.portainer.middlewares: "portainer-ipwhitelist@docker" - traefik.http.middlewares.portainer-ipwhitelist.ipwhitelist.sourcerange: "{{ portainer_ip_whitelist }}" + traefik.http.routers.portainer.middlewares: "portainer-IPAllowList@docker" + traefik.http.middlewares.portainer-IPAllowList.IPAllowList.sourcerange: "{{ portainer_ip_allowlist }}" when: portainer_enabled is true - name: Stop Portainer diff --git a/roles/stats/tasks/influxdb.yml b/roles/stats/tasks/influxdb.yml index 43f91fc992..028e2555ce 100644 --- a/roles/stats/tasks/influxdb.yml +++ b/roles/stats/tasks/influxdb.yml @@ -43,9 +43,9 @@ traefik.http.routers.influxdb.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.influxdb.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" traefik.http.services.influxdb.loadbalancer.server.port: "8086" - traefik.http.middlewares.influxdb-whitelist.ipwhitelist.ipstrategy.depth: "0" - traefik.http.middlewares.influxdb-whitelist.ipwhitelist.sourcerange: "127.0.0.1/32, 192.168.0.0/16" - traefik.http.routers.influxdb.middlewares: "influxdb-whitelist,influxdb-header" + traefik.http.middlewares.influxdb-allowlist.IPAllowList.ipstrategy.depth: "0" + traefik.http.middlewares.influxdb-allowlist.IPAllowList.sourcerange: "127.0.0.1/32, 192.168.0.0/16" + traefik.http.routers.influxdb.middlewares: "influxdb-allowlist,influxdb-header" traefik.http.middlewares.influx-redirect.redirectScheme.scheme: "https" traefik.http.middlewares.influxdb-header.headers.forceSTSHeader: "true" traefik.http.middlewares.influxdb-header.headers.accesscontrolalloworiginlist: "https://{{ stats_influxdb_hostname }}.{{ ansible_nas_domain }}" diff --git a/roles/vaultwarden/defaults/main.yml b/roles/vaultwarden/defaults/main.yml index a8921cf3b7..75ae40b5e1 100644 --- a/roles/vaultwarden/defaults/main.yml +++ b/roles/vaultwarden/defaults/main.yml @@ -9,7 +9,7 @@ vaultwarden_data_directory: "{{ docker_home }}/vaultwarden" vaultwarden_port_a: "19080" vaultwarden_port_b: "3012" vaultwarden_hostname: "vaultwarden" -vaultwarden_ip_whitelist: "0.0.0.0/0" +vaultwarden_ip_allowlist: "0.0.0.0/0" # specs vaultwarden_memory: 1g diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml index 9d84adf7e2..bcffb26b9f 100644 --- a/roles/vaultwarden/tasks/main.yml +++ b/roles/vaultwarden/tasks/main.yml @@ -27,20 +27,20 @@ labels: traefik.enable: "{{ vaultwarden_available_externally | string }}" traefik.http.routers.vaultwarden.rule: "Host(`{{ vaultwarden_hostname }}.{{ ansible_nas_domain }}`)" - # traefik.http.routers.vaultwarden.tls.certresolver: "letsencrypt" - # traefik.http.routers.vaultwarden.tls.domains[0].main: "{{ ansible_nas_domain }}" - # traefik.http.routers.vaultwarden.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" + traefik.http.routers.vaultwarden.tls.certresolver: "letsencrypt" + traefik.http.routers.vaultwarden.tls.domains[0].main: "{{ ansible_nas_domain }}" + traefik.http.routers.vaultwarden.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" traefik.http.routers.vaultwarden.service: "vaultwarden" - traefik.http.routers.vaultwarden.middlewares: "vaultwarden-ipwhitelist@docker" + traefik.http.routers.vaultwarden.middlewares: "vaultwarden-IPAllowList@docker" traefik.http.services.vaultwarden.loadbalancer.server.port: "80" traefik.http.routers.vaultwarden-ws.rule: "Host(`{{ vaultwarden_hostname }}.{{ ansible_nas_domain }}`) && Path(`/notifications/hub`)" - # traefik.http.routers.vaultwarden-ws.tls.certresolver: "letsencrypt" - # traefik.http.routers.vaultwarden-ws.tls.domains[0].main: "{{ ansible_nas_domain }}" - # traefik.http.routers.vaultwarden-ws.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" + traefik.http.routers.vaultwarden-ws.tls.certresolver: "letsencrypt" + traefik.http.routers.vaultwarden-ws.tls.domains[0].main: "{{ ansible_nas_domain }}" + traefik.http.routers.vaultwarden-ws.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" traefik.http.routers.vaultwarden-ws.service: "vaultwarden-ws" - traefik.http.routers.vaultwarden-ws.middlewares: "vaultwarden-ipwhitelist@docker" + traefik.http.routers.vaultwarden-ws.middlewares: "vaultwarden-IPAllowList@docker" traefik.http.services.vaultwarden-ws.loadbalancer.server.port: "3012" - traefik.http.middlewares.vaultwarden-ipwhitelist.ipwhitelist.sourcerange: "{{ vaultwarden_ip_whitelist }}" + traefik.http.middlewares.vaultwarden-IPAllowList.IPAllowList.sourcerange: "{{ vaultwarden_ip_allowlist }}" restart_policy: unless-stopped memory: "{{ vaultwarden_memory }}"