louim / bedrock-site-protect Goto Github PK

As-tu une idée comment nous pourrions implémenter le support de plusieurs users ?

Je suggère d'utilisé un array de user dans le fichier de configuration comme ceci:

htpasswd:
      - name: firstUser
        password: firstPassword
      - name: secondUser
        password: secondPassword

Par contre, lorsque j'essaye de l'implémenter dans ton role, je n'y parvient pas.

- name: Set htpasswd
  htpasswd:
    path: "{{ htpasswd_path }}/{{ item.0.key }}"
    name: "{{ item.1.name }}"
    password: "{{ item.1.password }}"
    crypt_scheme: "{{ item.1.crypt|default(omit) }}"
    owner: root
    group: root
    mode: 0644
  with_subelements:
    - wordpress_sites
    - htpasswd
    - skip_missing: yes

En gros, item.0.key n'existe pas. Je ne sais pas si tu as une autre solution ?

Thanks.

When I try to run "ansible-playbook server.yml -e env=staging"

I've found that when Let's Encrypt is enabled in Trellis as well as bedrock-site-protect, getting an SSL certificate fails since Let's Encrypt fails the authentication challenge when trying to validate the domain's ownership.

See the latter half of https://discourse.roots.io/t/letsencrypt-acme-challenge-error/6295/9 for where I raised the issue with Trellis before realizing it was to do with auth.

Perhaps an exception can be made, in order to not require auth on the Let's Encrypt routes? It seems that that route is /.well-known/acme-challenge.

See also certbot/certbot#1744

Just want to first say, this is a great extension and I'm really grateful for you work.

I used this on a client project on which I want to redirect the client's subdomain to my site, but the http authentication didn't allow it.

Would it be possible to add the following?

<RequireAny>
  Require ip 22.33.44.55
  Require valid-user
</RequireAny>

Thanks. Have an awesome one!

[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale.. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

In tasks/main.yml line 3 and 9

Would be ready to submit a PR but I don't know whether import_tasks or include_tasks is appropriate

This is really a useful addition, thanks for that.
In the README it says:

You may want to add the htpasswd block in the vault.yml file so password will be encrypted.

But that doesn't work. I don't know anything about Ansible syntax but I presume it's because the variable in vault.yml is called vault_wordpress_sites and not wordpress_sites. Would simply changing the var name everywhere work already or is there more to it? In general I think the password should go into vault.yml.

In the current (roots/trellis@f979bec) version of Trellis, I consistently get the following error while running vagrant up --provision:

TASK [bedrock-site-protect : Set htpasswd] *************************************
System info:
  Ansible 2.7.5; Vagrant 2.2.2; Linux
  Trellis version (per changelog): "Fix Vagrant trigger path"
---------------------------------------------------
This module requires the passlib Python library

The error is fixed by requiring the library explicitly in trellis/group_vars/all/main.yml :

...
apt_packages_custom:
  python3-passlib: present
...

Ref: https://discourse.roots.io/t/provisioning-with-optipng-gifsicle-and-libjpeg-progs/10005/4

I had never needed to require this library before-hand. Is there a way to have this library installed automatically as a dependency when bedrock-site-protect is being installed (or is this a Trellis issue)?

Hello, @louim,

Hope you are well. I have been running into this error now and then when provisioning Trellis sites that use bedrock-site-protect.

TASK [bedrock-site-protect : Set htpasswd] **************************************************************************************************************************************************************************************
System info:
  Ansible 2.7.5; Linux
  Trellis 1.0.0: December 27th, 2018
---------------------------------------------------
template error while templating string: unexpected char u'$' at 52. String:
^8oea`nE!ke!rQ9-6,g]bQ:g<Q#9@7778Ayrn/$;N{{BwrOt*rtz$?a#tvFE|Hu}
fatal: [example.com]: FAILED! => {}

The offending string will be from vault.yml generated by https://roots.io/salts.html

Generating a new set of salts usually corrects the issue. Is there a way to clear this up permanently?

Hi,

Running Ansible install fails for me unless version number is set explicitly to 1.1.0

The readme currently says 1.0 which might be worth fixing.

the specified version (1.1) of bedrock-site-protect was not found in the list of available versions

ta

Hey there, this looks like great work, I'm really eager to use it, however, I can't get it to run. I've added the role to the requirements.yml file, installed the role (I can see it inside vendor/roles set up by the ansible.cfg file) and added the appropriate line to server.yml. Do I simply need to run a deployment to that environment for this playbook to fire? Maybe I'm misinterpreting your readme, I'd appreciate any input here, thanks!

Hello I am using the latest version of Trellis. I have never had problems with bedrock-site-protect but something is not working now. I haven't done anything different from the previous projects.
This is what I am getting:

TASK [bedrock-site-protect : Set htpasswd] *************************************************************************************************
task path: /Users/michelecocuccio/Desktop/NUWebsites/Hireworks/trellis/vendor/roles/bedrock-site-protect/tasks/manage.yml:9
System info:
Ansible 2.4.0.0; Darwin
Trellis at "Add MariaDB 10.2 PPA"

template error while templating string: Missing end of comment tag. String:
!aVdPzDfe{h6rxNUM3{3Qn{#.?r*9X}4r-w%dj-:I`mFBZ>4ay4k8UBPudnizV8$
fatal: [138.68.151.12]: FAILED! => {
"failed": true
}

The password is just a string with a number and an exclamation mark and the user is just a string as well:

htpasswd:
  - name: Testing
    password: Magic123!

Any idea on what could be wrong?
Thanks

New Trellis projects have a requirement.txt file. The requirement.yml file seems to be gone. Does this Ansible role still work or is it outdated?

When i run
ansible-playbook server.yml -e env=staging -vvv
i get this error

TASK [bedrock-site-protect : Creating htpasswd folder] ************************************************************************************************************************************************************** task path: /.../trellis/vendor/roles/bedrock-site-protect/tasks/install.yml:9 Using module file /Library/Python/2.7/site-packages/ansible/modules/files/file.py Pipelining is enabled. <xxx.xxx.xxx.xxx> ESTABLISH SSH CONNECTION FOR USER: admin <xxx.xxx.xxx.xxx> SSH: EXEC ssh -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="admin"' -o ConnectTimeout=10 -o ControlPath=/Users/.../.ansible/cp/8105218663 xxx.xxx.xxx.xxx '/bin/sh -c '"'"'python3 && sleep 0'"'"'' <xxx.xxx.xxx.xxx> (1, '\n{"msg": "There was an issue creating /etc/htpasswd as requested: [Errno 13] Permission denied: b\'/etc/htpasswd\'", "path": "/etc/htpasswd", "failed": true, "invocation": {"module_args": {"group": "root", "dest": "/etc/htpasswd", "state": "directory", "mode": 493, "owner": "root", "path": "/etc/htpasswd", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null, "content": null, "backup": null, "remote_src": null, "regexp": null, "delimiter": null, "directory_mode": null, "unsafe_writes": null}}}\n', '') <xxx.xxx.xxx.xxx> Failed to connect to the host via ssh: System info: Ansible 2.8.8; Darwin Trellis 1.3.0: December 7th, 2019

Can you please add a rule that allows the letsencrypt challenge to be accessed?

Something such as this:

location .well-known/acme-challenge {
        auth_basic "off";
}

I have only a sketchy understanding of Ansible at present; I am not sure how this would be implemented.

Many thanks!