From 7a66cbc85a97025c6541de25c9a071f929b485cb Mon Sep 17 00:00:00 2001 From: Nicholas Jones Date: Mon, 29 Jul 2024 09:07:50 -0500 Subject: [PATCH 1/6] Update main.yml --- roles/bitwarden/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bitwarden/defaults/main.yml b/roles/bitwarden/defaults/main.yml index 3637685ea5..6a54a29d61 100644 --- a/roles/bitwarden/defaults/main.yml +++ b/roles/bitwarden/defaults/main.yml @@ -5,7 +5,7 @@ bitwarden_data_directory: "{{ docker_home }}/bitwarden" bitwarden_port_a: "19080" bitwarden_port_b: "3012" bitwarden_hostname: "bitwarden" -bitwarden_ip_whitelist: "0.0.0.0/0" +bitwarden_ip_allowlist: "0.0.0.0/0" # Keep this token secret, this is password to access admin area of your server! # This token can be anything, but it's recommended to use a long, randomly generated string of characters, From adafd29d078f78be53974a008484ee8d7be393ed Mon Sep 17 00:00:00 2001 From: Nicholas Jones Date: Mon, 29 Jul 2024 09:08:32 -0500 Subject: [PATCH 2/6] Update main.yml --- roles/bitwarden/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/bitwarden/tasks/main.yml b/roles/bitwarden/tasks/main.yml index ae2203d2be..9dc71c5c3d 100644 --- a/roles/bitwarden/tasks/main.yml +++ b/roles/bitwarden/tasks/main.yml @@ -31,16 +31,16 @@ traefik.http.routers.bitwarden.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.bitwarden.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" traefik.http.routers.bitwarden.service: "bitwarden" - traefik.http.routers.bitwarden.middlewares: "bitwarden-ipwhitelist@docker" + traefik.http.routers.bitwarden.middlewares: "bitwarden-ipallowlist@docker" traefik.http.services.bitwarden.loadbalancer.server.port: "80" traefik.http.routers.bitwarden-ws.rule: "Host(`{{ bitwarden_hostname }}.{{ ansible_nas_domain }}`) && Path(`/notifications/hub`)" traefik.http.routers.bitwarden-ws.tls.certresolver: "letsencrypt" traefik.http.routers.bitwarden-ws.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.bitwarden-ws.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" traefik.http.routers.bitwarden-ws.service: "bitwarden-ws" - traefik.http.routers.bitwarden-ws.middlewares: "bitwarden-ipwhitelist@docker" + traefik.http.routers.bitwarden-ws.middlewares: "bitwarden-ipallowlist@docker" traefik.http.services.bitwarden-ws.loadbalancer.server.port: "3012" - traefik.http.middlewares.bitwarden-ipwhitelist.ipwhitelist.sourcerange: "{{ bitwarden_ip_whitelist }}" + traefik.http.middlewares.bitwarden-ipallowlist.ipallowlist.sourcerange: "{{ bitwarden_ip_whitelist }}" memory: "{{ bitwarden_memory }}" restart_policy: unless-stopped From 6b0efff357bc1c1281dd85a9ee6581a1bbb5c388 Mon Sep 17 00:00:00 2001 From: Nicholas Jones Date: Mon, 29 Jul 2024 09:08:51 -0500 Subject: [PATCH 3/6] Update main.yml --- roles/portainer/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/portainer/defaults/main.yml b/roles/portainer/defaults/main.yml index be0522f4e1..38ae9d38d6 100644 --- a/roles/portainer/defaults/main.yml +++ b/roles/portainer/defaults/main.yml @@ -8,7 +8,7 @@ portainer_data_directory: "{{ docker_home }}/portainer/config" # network portainer_port: "9000" portainer_hostname: "portainer" -portainer_ip_whitelist: "0.0.0.0/0" +portainer_ip_allowlist: "0.0.0.0/0" # docker portainer_container_name: "portainer" From e6a2ed00ecddbd1fb8c10a2bec46a258b7cb5a96 Mon Sep 17 00:00:00 2001 From: Nicholas Jones Date: Mon, 29 Jul 2024 09:09:27 -0500 Subject: [PATCH 4/6] Update main.yml --- roles/portainer/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml index e6f690cc01..0f13f965ac 100644 --- a/roles/portainer/tasks/main.yml +++ b/roles/portainer/tasks/main.yml @@ -28,8 +28,8 @@ traefik.http.routers.portainer.tls.domains[0].main: "{{ ansible_nas_domain }}" traefik.http.routers.portainer.tls.domains[0].sans: "*.{{ ansible_nas_domain }}" traefik.http.services.portainer.loadbalancer.server.port: "9443" - traefik.http.routers.portainer.middlewares: "portainer-ipwhitelist@docker" - traefik.http.middlewares.portainer-ipwhitelist.ipwhitelist.sourcerange: "{{ portainer_ip_whitelist }}" + traefik.http.routers.portainer.middlewares: "portainer-ipallowlist@docker" + traefik.http.middlewares.portainer-ipallowlist.ipallowlist.sourcerange: "{{ portainer_ip_allowlist }}" when: portainer_enabled is true - name: Stop Portainer From 5da5978ca162b3160c2de6d0b94a8292de6e85a9 Mon Sep 17 00:00:00 2001 From: Nicholas Jones <8533321+nickjones33@users.noreply.github.com> Date: Thu, 8 Aug 2024 22:50:31 -0500 Subject: [PATCH 5/6] adding ansible.builtin.fail checks to catch people still using outdated *whitelist settings as per PR feedback --- roles/bitwarden/defaults/main.yml | 1 + roles/bitwarden/tasks/main.yml | 7 ++++++- roles/portainer/defaults/main.yml | 1 + roles/portainer/tasks/main.yml | 5 +++++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/bitwarden/defaults/main.yml b/roles/bitwarden/defaults/main.yml index 6a54a29d61..80d00200ff 100644 --- a/roles/bitwarden/defaults/main.yml +++ b/roles/bitwarden/defaults/main.yml @@ -5,6 +5,7 @@ bitwarden_data_directory: "{{ docker_home }}/bitwarden" bitwarden_port_a: "19080" bitwarden_port_b: "3012" bitwarden_hostname: "bitwarden" +bitwarden_ip_whitelist: "deprecated" bitwarden_ip_allowlist: "0.0.0.0/0" # Keep this token secret, this is password to access admin area of your server! diff --git a/roles/bitwarden/tasks/main.yml b/roles/bitwarden/tasks/main.yml index 9dc71c5c3d..cf473d06c8 100644 --- a/roles/bitwarden/tasks/main.yml +++ b/roles/bitwarden/tasks/main.yml @@ -1,6 +1,11 @@ --- - name: Start Bitwarden block: + - name: Check for Deprecated IP Whitelist setting + ansible.builtin.fail: + msg: "Use bitwarden_ip_allowlist instead of bitwarden_ip_whitelist! Read https://traefik.io/blog/announcing-traefik-proxy-v2-11/ for more information." + when: bitwarden_ip_whitelist != "deprecated" + - name: Create Bitwarden Directories ansible.builtin.file: path: "{{ item }}" @@ -40,7 +45,7 @@ traefik.http.routers.bitwarden-ws.service: "bitwarden-ws" traefik.http.routers.bitwarden-ws.middlewares: "bitwarden-ipallowlist@docker" traefik.http.services.bitwarden-ws.loadbalancer.server.port: "3012" - traefik.http.middlewares.bitwarden-ipallowlist.ipallowlist.sourcerange: "{{ bitwarden_ip_whitelist }}" + traefik.http.middlewares.bitwarden-ipallowlist.ipallowlist.sourcerange: "{{ bitwarden_ip_allowlist }}" memory: "{{ bitwarden_memory }}" restart_policy: unless-stopped diff --git a/roles/portainer/defaults/main.yml b/roles/portainer/defaults/main.yml index 38ae9d38d6..f1e5dd3c5d 100644 --- a/roles/portainer/defaults/main.yml +++ b/roles/portainer/defaults/main.yml @@ -8,6 +8,7 @@ portainer_data_directory: "{{ docker_home }}/portainer/config" # network portainer_port: "9000" portainer_hostname: "portainer" +portainer_ip_whitelist: "deprecated" portainer_ip_allowlist: "0.0.0.0/0" # docker diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml index 0f13f965ac..8cc3982bd9 100644 --- a/roles/portainer/tasks/main.yml +++ b/roles/portainer/tasks/main.yml @@ -1,6 +1,11 @@ --- - name: Start Portainer block: + - name: Check for Deprecated IP Whitelist setting + ansible.builtin.fail: + msg: "Use portainer_ip_allowlist instead of portainer_ip_whitelist! Read https://traefik.io/blog/announcing-traefik-proxy-v2-11/ for more information." + when: portainer_ip_whitelist != "deprecated" + - name: Create Portainer Directories ansible.builtin.file: path: "{{ item }}" From 3d3bd76ebe3533a51d02a1974861b8f357359768 Mon Sep 17 00:00:00 2001 From: Nicholas Jones <8533321+nickjones33@users.noreply.github.com> Date: Fri, 9 Aug 2024 07:22:26 -0500 Subject: [PATCH 6/6] better check for existence of property --- roles/bitwarden/defaults/main.yml | 1 - roles/bitwarden/tasks/main.yml | 2 +- roles/portainer/defaults/main.yml | 1 - roles/portainer/tasks/main.yml | 2 +- 4 files changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/bitwarden/defaults/main.yml b/roles/bitwarden/defaults/main.yml index 80d00200ff..6a54a29d61 100644 --- a/roles/bitwarden/defaults/main.yml +++ b/roles/bitwarden/defaults/main.yml @@ -5,7 +5,6 @@ bitwarden_data_directory: "{{ docker_home }}/bitwarden" bitwarden_port_a: "19080" bitwarden_port_b: "3012" bitwarden_hostname: "bitwarden" -bitwarden_ip_whitelist: "deprecated" bitwarden_ip_allowlist: "0.0.0.0/0" # Keep this token secret, this is password to access admin area of your server! diff --git a/roles/bitwarden/tasks/main.yml b/roles/bitwarden/tasks/main.yml index cf473d06c8..8c83f3917f 100644 --- a/roles/bitwarden/tasks/main.yml +++ b/roles/bitwarden/tasks/main.yml @@ -4,7 +4,7 @@ - name: Check for Deprecated IP Whitelist setting ansible.builtin.fail: msg: "Use bitwarden_ip_allowlist instead of bitwarden_ip_whitelist! Read https://traefik.io/blog/announcing-traefik-proxy-v2-11/ for more information." - when: bitwarden_ip_whitelist != "deprecated" + when: bitwarden_ip_whitelist is defined - name: Create Bitwarden Directories ansible.builtin.file: diff --git a/roles/portainer/defaults/main.yml b/roles/portainer/defaults/main.yml index f1e5dd3c5d..38ae9d38d6 100644 --- a/roles/portainer/defaults/main.yml +++ b/roles/portainer/defaults/main.yml @@ -8,7 +8,6 @@ portainer_data_directory: "{{ docker_home }}/portainer/config" # network portainer_port: "9000" portainer_hostname: "portainer" -portainer_ip_whitelist: "deprecated" portainer_ip_allowlist: "0.0.0.0/0" # docker diff --git a/roles/portainer/tasks/main.yml b/roles/portainer/tasks/main.yml index 8cc3982bd9..e10ee07699 100644 --- a/roles/portainer/tasks/main.yml +++ b/roles/portainer/tasks/main.yml @@ -4,7 +4,7 @@ - name: Check for Deprecated IP Whitelist setting ansible.builtin.fail: msg: "Use portainer_ip_allowlist instead of portainer_ip_whitelist! Read https://traefik.io/blog/announcing-traefik-proxy-v2-11/ for more information." - when: portainer_ip_whitelist != "deprecated" + when: portainer_ip_whitelist is defined - name: Create Portainer Directories ansible.builtin.file: