louim / bedrock-site-protect Goto Github PK

Ansible role: Add htpasswd protection to Trellis (Bedrock-Ansible) WordPress sites.

Home Page: https://galaxy.ansible.com/louim/bedrock-site-protect/

ansible-role trellis bedrock authentication bedrock-ansible basic-authentication

bedrock-site-protect's Introduction

Bedrock Site protect

This role is specifically crafted to go with Trellis. It will allow you to set Basic authentication on your bedrock websites. This is especially useful during development if you have a staging environment that you don't want the world to see.

Requirements

This role is made for Trellis (previously known as Bedrock-Ansible), so it depends on it.

Role Variables

The role will read from the wordpress_sites dict set in environments files of Trellis. It will search for the htpasswd key.

Example:

wordpress_sites:
  example.com:
    site_hosts:
      - canonical: example.dev
    local_path: '../site' # path targeting local Bedrock site directory (relative to Ansible root)
    admin_email: [email protected]
    multisite:
      enabled: false
    ssl:
      enabled: false
    cache:
      enabled: false
    htpasswd:
      - name: user
        password: secret
      - name: user2
        password: secret2

You may want to add the htpasswd block in the vault.yml file so password will be encrypted. You can also set the htpasswd_path to specify the folder used to store htpasswd files. The default is /etc/htpasswd. If you want to set this parameter, it is recommended that you set it in the group_vars/all/main.yml file, so it will be the same for all environments.

Dependencies

Trellis.

Example Playbook

To get started, add this role (louim.bedrock-site-protect) to the galaxy.yml file in your Trellis installation like so:

- name: bedrock-site-protect
  src: louim.bedrock-site-protect
  version: 2.0.0

Then re-run the ansible-galaxy install -r galaxy.yml to install the new role. You might need to add the -f option to force install of previously downloaded roles.

You will also need to add the role to the server.yml like so:

roles:
  ... other Trellis roles ...
  - { role: bedrock-site-protect, tags: [htpasswd, wordpress, wordpress-setup, letsencrypt] }

Adding / Removing Basic Authentication

To Add: Run the Trellis command to set up your previously configured remote server: ansible-playbook server.yml -e env=<environment> To Remove: Remove the following htpasswd block:

  htpasswd:
    - name: user
      password: secret

in the wordpress_sites dict set, and reconfigure via: ansible-playbook server.yml -e env=<environment>.

License

MIT

Author Information

bedrock-site-protect's People

Contributors

Stargazers

Watchers

Forkers

th3architect discopatrick davidyv manabumiwa newloong andrewjwu alex-galey joshuafredrickson devotoare modernadventure

bedrock-site-protect's Issues

Installed role, added to server.yml, re-deployed, this role does not appear to run

Hey there, this looks like great work, I'm really eager to use it, however, I can't get it to run. I've added the role to the requirements.yml file, installed the role (I can see it inside vendor/roles set up by the ansible.cfg file) and added the appropriate line to server.yml. Do I simply need to run a deployment to that environment for this playbook to fire? Maybe I'm misinterpreting your readme, I'd appreciate any input here, thanks!

Gets "the key htpasswd should point to a list"

When I try to run "ansible-playbook server.yml -e env=staging"

Deprecation warning : Include

[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale.. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

In tasks/main.yml line 3 and 9

Would be ready to submit a PR but I don't know whether import_tasks or include_tasks is appropriate

Issue creating /etc/htpasswd as requested: [Errno 13] Permission denied: b'/etc/htpasswd'

When i run
ansible-playbook server.yml -e env=staging -vvv
i get this error

TASK [bedrock-site-protect : Creating htpasswd folder] ************************************************************************************************************************************************************** task path: /.../trellis/vendor/roles/bedrock-site-protect/tasks/install.yml:9 Using module file /Library/Python/2.7/site-packages/ansible/modules/files/file.py Pipelining is enabled. <xxx.xxx.xxx.xxx> ESTABLISH SSH CONNECTION FOR USER: admin <xxx.xxx.xxx.xxx> SSH: EXEC ssh -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="admin"' -o ConnectTimeout=10 -o ControlPath=/Users/.../.ansible/cp/8105218663 xxx.xxx.xxx.xxx '/bin/sh -c '"'"'python3 && sleep 0'"'"'' <xxx.xxx.xxx.xxx> (1, '\n{"msg": "There was an issue creating /etc/htpasswd as requested: [Errno 13] Permission denied: b\'/etc/htpasswd\'", "path": "/etc/htpasswd", "failed": true, "invocation": {"module_args": {"group": "root", "dest": "/etc/htpasswd", "state": "directory", "mode": 493, "owner": "root", "path": "/etc/htpasswd", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null, "content": null, "backup": null, "remote_src": null, "regexp": null, "delimiter": null, "directory_mode": null, "unsafe_writes": null}}}\n', '') <xxx.xxx.xxx.xxx> Failed to connect to the host via ssh: System info: Ansible 2.8.8; Darwin Trellis 1.3.0: December 7th, 2019

passlib missing from Trellis install

In the current (roots/trellis@f979bec) version of Trellis, I consistently get the following error while running vagrant up --provision:

TASK [bedrock-site-protect : Set htpasswd] *************************************
System info:
  Ansible 2.7.5; Vagrant 2.2.2; Linux
  Trellis version (per changelog): "Fix Vagrant trigger path"
---------------------------------------------------
This module requires the passlib Python library

The error is fixed by requiring the library explicitly in trellis/group_vars/all/main.yml :

...
apt_packages_custom:
  python3-passlib: present
...

Ref: https://discourse.roots.io/t/provisioning-with-optipng-gifsicle-and-libjpeg-progs/10005/4

I had never needed to require this library before-hand. Is there a way to have this library installed automatically as a dependency when bedrock-site-protect is being installed (or is this a Trellis issue)?

Issues with Let's Encrypt

I've found that when Let's Encrypt is enabled in Trellis as well as bedrock-site-protect, getting an SSL certificate fails since Let's Encrypt fails the authentication challenge when trying to validate the domain's ownership.

See the latter half of https://discourse.roots.io/t/letsencrypt-acme-challenge-error/6295/9 for where I raised the issue with Trellis before realizing it was to do with auth.

Perhaps an exception can be made, in order to not require auth on the Let's Encrypt routes? It seems that that route is /.well-known/acme-challenge.

Allow letsencrypt challenge to pass

Can you please add a rule that allows the letsencrypt challenge to be accessed?

Something such as this:

location .well-known/acme-challenge {
        auth_basic "off";
}

I have only a sketchy understanding of Ansible at present; I am not sure how this would be implemented.

Many thanks!

template error while templating string

Hello, @louim,

Hope you are well. I have been running into this error now and then when provisioning Trellis sites that use bedrock-site-protect.

TASK [bedrock-site-protect : Set htpasswd] **************************************************************************************************************************************************************************************
System info:
  Ansible 2.7.5; Linux
  Trellis 1.0.0: December 27th, 2018
---------------------------------------------------
template error while templating string: unexpected char u'$' at 52. String:
^8oea`nE!ke!rQ9-6,g]bQ:g<Q#9@7778Ayrn/$;N{{BwrOt*rtz$?a#tvFE|Hu}
fatal: [example.com]: FAILED! => {}

The offending string will be from vault.yml generated by https://roots.io/salts.html

Generating a new set of salts usually corrects the issue. Is there a way to clear this up permanently?

Documentation + Version Number

Hi,

Running Ansible install fails for me unless version number is set explicitly to 1.1.0

The readme currently says 1.0 which might be worth fixing.

the specified version (1.1) of bedrock-site-protect was not found in the list of available versions

Usage with vault.yml

This is really a useful addition, thanks for that.
In the README it says:

You may want to add the htpasswd block in the vault.yml file so password will be encrypted.

But that doesn't work. I don't know anything about Ansible syntax but I presume it's because the variable in vault.yml is called vault_wordpress_sites and not wordpress_sites. Would simply changing the var name everywhere work already or is there more to it? In general I think the password should go into vault.yml.

No requirements.yml

New Trellis projects have a requirement.txt file. The requirement.yml file seems to be gone. Does this Ansible role still work or is it outdated?

Can I add Allowed From?

Just want to first say, this is a great extension and I'm really grateful for you work.

I used this on a client project on which I want to redirect the client's subdomain to my site, but the http authentication didn't allow it.

Would it be possible to add the following?

<RequireAny>
  Require ip 22.33.44.55
  Require valid-user
</RequireAny>

Thanks. Have an awesome one!

TASK [bedrock-site-protect : Set htpasswd] - Failing

Hello I am using the latest version of Trellis. I have never had problems with bedrock-site-protect but something is not working now. I haven't done anything different from the previous projects.
This is what I am getting:

TASK [bedrock-site-protect : Set htpasswd] *************************************************************************************************
task path: /Users/michelecocuccio/Desktop/NUWebsites/Hireworks/trellis/vendor/roles/bedrock-site-protect/tasks/manage.yml:9
System info:
Ansible 2.4.0.0; Darwin
Trellis at "Add MariaDB 10.2 PPA"

template error while templating string: Missing end of comment tag. String:
!aVdPzDfe{h6rxNUM3{3Qn{#.?r*9X}4r-w%dj-:I`mFBZ>4ay4k8UBPudnizV8$
fatal: [138.68.151.12]: FAILED! => {
"failed": true
}

The password is just a string with a number and an exclamation mark and the user is just a string as well:

htpasswd:
  - name: Testing
    password: Magic123!

Any idea on what could be wrong?
Thanks

Multiple Users

As-tu une idée comment nous pourrions implémenter le support de plusieurs users ?

Je suggère d'utilisé un array de user dans le fichier de configuration comme ceci:

htpasswd:
      - name: firstUser
        password: firstPassword
      - name: secondUser
        password: secondPassword

Par contre, lorsque j'essaye de l'implémenter dans ton role, je n'y parvient pas.

- name: Set htpasswd
  htpasswd:
    path: "{{ htpasswd_path }}/{{ item.0.key }}"
    name: "{{ item.1.name }}"
    password: "{{ item.1.password }}"
    crypt_scheme: "{{ item.1.crypt|default(omit) }}"
    owner: root
    group: root
    mode: 0644
  with_subelements:
    - wordpress_sites
    - htpasswd
    - skip_missing: yes

En gros, item.0.key n'existe pas. Je ne sais pas si tu as une autre solution ?

Thanks.