roles/common: fix logic for copying AbuseIPDB.com nft sets

We have to force these because they are not updated on the host like the other lists (API limit of five requests per day!). We update the list periodically here in git.
roles/common: update AbuseIPDB lists for nftables
2021-09-08 09:58:13 +03:00 · 2021-09-08 09:57:58 +03:00 · 2021-09-08 09:35:36 +03:00 · 2021-09-08 09:32:06 +03:00 · 2021-09-07 20:12:31 +03:00
10 changed files with 14326 additions and 14301 deletions
--- a/roles/common/files/abuseipdb-ipv4.nft
+++ b/roles/common/files/abuseipdb-ipv4.nft
--- a/roles/common/files/abuseipdb-ipv6.nft
+++ b/roles/common/files/abuseipdb-ipv6.nft
@ -1,14 +1,7 @@
 #!/usr/sbin/nft -f

 define ABUSEIPDB_IPV6 = {
-2001:41d0:8:8c1::,
-2400:6180:0:d1::8c9:8001,
-2607:5300:203:3b58::,
-2607:f298:5:102f::97c:9b51,
-2607:f298:5:103f::cf7:8a8e,
-2607:f298:5:6000::f25:8518,
-2607:f298:6:a016::448:ebe6,
-2607:f298:6:a034::eb5:2e70,
-2a00:d680:20:50::68b6,
-2a06:41c0:0:1::e4ca:8524,
+2400:6180:0:d1::4ce:d001,
+2607:5300:60:232d::,
+2607:f298:6:a066::1bf:e80e,
 }
--- a/roles/common/files/abusers-ipv4.xml
+++ b/roles/common/files/abusers-ipv4.xml
--- a/roles/common/files/abusers-ipv6.xml
+++ b/roles/common/files/abusers-ipv6.xml
@ -3,21 +3,7 @@
  <option name="family" value="inet6" />
  <short>abusers-ipv6</short>
  <description>A list of abusive IPv6 addresses.</description>
-  <entry>2001:41d0:700:1a2c::</entry>
-  <entry>2400:6180:0:d0::63:e001</entry>
-  <entry>2400:6180:0:d0::6a:4001</entry>
-  <entry>2604:a880:2:d0::22d5:c001</entry>
-  <entry>2604:a880:2:d1::19c:1001</entry>
-  <entry>2604:a880:cad:d0::169:3001</entry>
-  <entry>2607:5300:203:2519::</entry>
-  <entry>2607:5300:203:4418::</entry>
-  <entry>2607:5300:203:d86::</entry>
-  <entry>2607:5300:60:1e52::</entry>
-  <entry>2607:5300:61:404::</entry>
-  <entry>2607:f298:5:115b::bcf:e319</entry>
-  <entry>2607:f298:5:6000::864:52c7</entry>
-  <entry>2607:f298:6:a044::d7d:2305</entry>
-  <entry>2607:f298:6:a077::491:e10b</entry>
-  <entry>2a00:d680:20:50::4a10</entry>
-  <entry>2a03:6f00:6:1::b972:f5c1</entry>
+  <entry>2400:6180:0:d1::4ce:d001</entry>
+  <entry>2607:5300:60:232d::</entry>
+  <entry>2607:f298:6:a066::1bf:e80e</entry>
 </ipset>
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@ -36,13 +36,13 @@

  - name: Copy extra nftables configuration files
    when: ansible_distribution_major_version is version('11', '>=')
-    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
+    copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
    loop:
-      - spamhaus-ipv4.nft
-      - spamhaus-ipv6.nft
-      - abusech-ipv4.nft
-      - abuseipdb-ipv4.nft
-      - abuseipdb-ipv6.nft
+      - { src: "spamhaus-ipv4.nft", force: "no" }
+      - { src: "spamhaus-ipv6.nft", force: "no" }
+      - { src: "abusech-ipv4.nft", force: "no" }
+      - { src: "abuseipdb-ipv4.nft", force: "yes" }
+      - { src: "abuseipdb-ipv6.nft", force: "yes" }
    notify:
      - restart nftables

--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@ -42,13 +42,13 @@

  - name: Copy extra nftables configuration files
    when: ansible_distribution_version is version('20.04', '>=')
-    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
+    copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
    loop:
-      - spamhaus-ipv4.nft
-      - spamhaus-ipv6.nft
-      - abusech-ipv4.nft
-      - abuseipdb-ipv4.nft
-      - abuseipdb-ipv6.nft
+      - { src: "spamhaus-ipv4.nft", force: "no" }
+      - { src: "spamhaus-ipv6.nft", force: "no" }
+      - { src: "abusech-ipv4.nft", force: "no" }
+      - { src: "abuseipdb-ipv4.nft", force: "yes" }
+      - { src: "abuseipdb-ipv6.nft", force: "yes" }
    notify:
      - restart nftables

--- a/roles/php-fpm/tasks/Debian_10.yml
+++ b/roles/php-fpm/tasks/Debian_10.yml
@ -28,7 +28,8 @@
  - name: Update php.ini
    template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
    notify: reload php7.3-fpm
+
  tags: php-fpm
-  when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+  when: install_php

 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Ubuntu_18.04.yml
+++ b/roles/php-fpm/tasks/Ubuntu_18.04.yml
@ -28,7 +28,8 @@
  - name: Update php.ini
    template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
    notify: reload php7.2-fpm
+
  tags: php-fpm
-  when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+  when: install_php

 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Ubuntu_20.04.yml
+++ b/roles/php-fpm/tasks/Ubuntu_20.04.yml
@ -28,7 +28,8 @@
  - name: Update php.ini
    template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
    notify: reload php7.4-fpm
+
  tags: php-fpm
-  when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+  when: install_php

 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/main.yml
+++ b/roles/php-fpm/tasks/main.yml
@ -4,25 +4,47 @@
 # Ubuntu 20.04 uses PHP 7.4
 # Debian 11 uses PHP 7.4

+# If any of the vhosts on this host need WordPress then we need to install PHP.
+# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
+# any that have has_wordpress defined, and has_wordpress set to True.
+#
+# See: https://stackoverflow.com/a/31896249
+- name: Check if any vhost needs WordPress
+  set_fact:
+    install_php: True
+  when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', True) | list | length > 0"
+
+# Legacy, was only for Piwik, but leaving for now.
+- name: Check if any vhost needs PHP
+  set_fact:
+    install_php: True
+  when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', True) | list | length > 0"
+
+# If install_php has not been set, then we assume no vhosts need PHP. This is
+# a bit hacky, but it's the closest we come to an if/then/else.
+- name: Set install_php to False
+  set_fact:
+    install_php: False
+  when: install_php is not defined
+
 - name: Configure php-fpm on Ubuntu 18.04
  include_tasks: Ubuntu_18.04.yml
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') and install_php
  tags: php-fpm

 - name: Configure php-fpm on Debian 10
  include_tasks: Debian_10.yml
-  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==')
+  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') and install_php
  tags: php-fpm

 - name: Configure php-fpm on Ubuntu 20.04
  include_tasks: Ubuntu_20.04.yml
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
+  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') and install_php
  tags: php-fpm

 - name: Configure php-fpm on Debian 11
  include_tasks: Ubuntu_20.04.yml
-  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')
+  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==') and install_php
  tags: php-fpm

-
 # vim: set ts=2 sw=2:
Author	SHA1	Message	Date
Alan Orth	635bb5234d	roles/common: fix logic for copying AbuseIPDB.com nft sets We have to force these because they are not updated on the host like the other lists (API limit of five requests per day!). We update the list periodically here in git.	2021-09-08 09:58:13 +03:00
Alan Orth	37901da5b5	roles/common: update AbuseIPDB lists for nftables	2021-09-08 09:57:58 +03:00
Alan Orth	e36ae3b11e	roles/common: Update list of abusive IP addresses This comes from the AbuseIPDB with a confidence level of 95%. I use the following command to download and sort the IPs: $ curl -G https://api.abuseipdb.com/api/v2/blacklist -d \ confidenceMinimum=95 -H "Key: $ABUSEIPDB_API_KEY" \ -H "Accept: text/plain" \| sort \| sed -e '/:/w /tmp/ipv6.txt' \ -e '/:/d' > /tmp/ipv4.txt I manually add the XML formatting to each file and run them through tidy: $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv4.xml $ tidy -xml -utf8 -m -iq -w 0 roles/common/files/abusers-ipv6.xml	2021-09-08 09:35:36 +03:00
Alan Orth	81c1231a28	roles/php-fpm: Fix logic First, we cannot do a global check for has_wordpress or needs_php, as those are defined per nginx vhost. Second, I realized that this was only working in the past because vhosts that had WordPress or needed PHP were listed first in the nginx_vhosts dict. This changes the logic to first check if any vhosts have WordPress or need PHP, then sets a fact that we can use to decide whether to run php-fpm tasks or not.	2021-09-08 09:32:06 +03:00
Alan Orth	bb6f058025	roles/php-fpm: whitespace	2021-09-07 20:12:31 +03:00